Cisco ASA Series Cli Configuration Manual page 1398

Configuration Examples for Cisco Cloud Web Security
hostname(cfg-scansafe)# server primary ip 192.168.115.225 web 8080
hostname(cfg-scansafe)# retry-count 5
hostname(cfg-scansafe)# license 366C1D3F5CE67D33D3E9ACEC265261E5
Multiple Mode Example
The following example enables Cloud Web Security in context one with the default license and in context
two with the authentication key override:
! System Context
!
hostname(config)#scansafe general-options
hostname(cfg-scansafe)#server primary ip 180.24.0.62 port 8080
hostname(cfg-scansafe)#retry-count 5
hostname(cfg-scansafe)#license FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
hostname(cfg-scansafe)#publickey <path to public key>
!
context one
allocate-interface GigabitEthernet0/0.1
allocate-interface GigabitEthernet0/1.1
allocate-interface GigabitEthernet0/3.1
scansafe
config-url disk0:/one_ctx.cfg
!
context two
allocate-interface GigabitEthernet0/0.2
allocate-interface GigabitEthernet0/1.2
allocate-interface GigabitEthernet0/3.2
scansafe license 366C1D3F5CE67D33D3E9ACEC265261E5
!
config-url disk0:/two_ctx.cfg
!
Whitelist Example
Configure what access-list traffic should be sent to Cloud Web Security:
access-list 101 extended permit tcp any4 any4 eq www
access-list 102 extended permit tcp any4 any4 eq https
class-map web
match access-list 101
class-map https
match access-list 102
To configure the whitelist to ensure user1 is in this access-list range to bypass Cloud Web Security:
class-map type inspect scansafe match-any whiteListCmap
match user LOCAL\user1
To attach class-maps to the Cloud Web Security Policy map:
policy-map type inspect scansafe ss
parameters
default user user1 group group1
http
class whiteListCmap
whitelist
policy-map type inspect scansafe ss2
Cisco ASA Series CLI Configuration Guide
1-18
Chapter 1 Configuring the ASA for Cisco Cloud Web Security