09 July 2016

WSA WCCP for ASA Configuration Example

This post describes how to configure the Web Cache Communication Protocol (WCCP) for the Cisco Adaptive Security Appliance (ASA) through the Cisco Web Security Appliance (WSA). The diagram below was used:



ASA Configuration Example

Complete these steps in order to configure the WCCP for the ASA via the WSA:

Enter this command in order to use the default service group web-cache:
wccp web-cache wccp interface inside web-cache redirect in

Enter this command in order to use a dynamic service group ID for the redirection of HTTP and HTTPS traffic:
wccp 91 redirect-list wccp-hosts group-list wccp-routers

Enter this command in order to use WCCP security:
wccp 91 redirect-list wccp-hosts group-list wccp-routers pass xxxx

The access list can be configured so that it denies the traffic that is sent to the ASA as a destination IP address and redirects it to the WSA. This is particularly useful when the ASA is configured in order to redirect traffic to multiple WSAs. For example, the WSAs might be assigned these IP addresses:

WSA1 IP address = 10.0.0.1
WSA2 IP address = 10.0.0.2

Enter these commands in order to configure the access list to deny the traffic:
access-list wccp-hosts extended deny tcp any host 10.0.0.1 access-list wccp-hosts extended deny tcp any host 10.0.0.2

Enter this command in order to allow the HTTP traffic to be redirected:
access-list wccp-hosts extended permit tcp any any eq www

Enter this command in order to allow the HTTPS traffic to be redirected:
access-list wccp-hosts extended permit tcp any any eq https

Enter these commands in order to define the WSAs that are allowed to participate in the WCCP communication:
access-list wccp-routers standard permit host 10.0.0.1 access-list wccp-routers standard permit host 10.0.0.2

If the redirect-list command is not accepted, then an extended access list might be needed. Enter these commands in order to configure the extended access list:
access-list wccp-routers extended permit ip host 10.0.0.1 any access-list wccp-routers extended permit ip host 10.0.0.2 any

Enter this command in order to apply the configuration:
wccp interface inside 91 redirect in

WSA Configuration Example

 

 

 

and commit all changes.

biOos

 

07 July 2016

WSA - Bypass CACHE URLs

Specifying Domains or URLs that the Web Proxy never Caches

 1. Access the CLI.
 2. Use the webcache -> ignore commands to access the required submenus:

example.com> webcache

Choose the operation you want to perform:
- EVICT - Remove URL from the cache
- DESCRIBE - Describe URL cache status
- IGNORE - Configure domains and URLs never to be cached
[]> ignore

Choose the operation you want to perform:
- DOMAINS - Manage domains
- URLS - Manage urls
[]>

 3. Enter the address type you wish to manage: DOMAINS or URLS.

[]> urls

Manage url entries:

Choose the operation you want to perform:
- DELETE - Delete entries
- ADD - Add new entries
- LIST - List entries
[]>

 4. Enter add to add new entries:

[]> add
Enter new url values; one on each line; an empty line to finish
[]>

 5. Enter domains or URLs, one per line; for example:

Enter new url values; one on each line; an empty line to finish
[]> www.example1.com
Enter new url values; one on each line; an empty line to finish
[]>

You can include certain regular expression (regex) characters when specifying a domain or URLs. With the DOMAINS option, you can use a preceding dot character to exempt an entire domain and its subdomains from caching. For example, you can enter .google.com rather than simply google.com to exempt www.google.com, docs.google.com, and so on.

With the URLS option, you can use the full suite of regular-expression characters.

 6. When you are finished entering values, press Enter until you are returned to the main command-line interface.

 7. Commit your changes.

 biOos

Ironport WSA Overview

Get advanced threat defense, advanced malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web Security Appliance (WSA) combines all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic, while simplifying deployment and reducing costs.

The Cisco Web Security Appliance intercepts and monitors internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other internet-based threats.

The Cisco SensorBase Network

The Cisco SensorBase Network is a threat management database that tracks millions of domains around the world and maintains a global watch list for Internet traffic. SensorBase provides Cisco with an assessment of reliability for known Internet domains. The Web Security appliance uses the SensorBase data feeds to improve the accuracy of Web Reputation Scores.

Web Proxy IP Spoofing

When the web proxy forwards a request, it changes the request source IP address to match its own address by default. This increases security, but you can change this behavior by implementing IP spoofing, so that requests retain their source address and appear to originate from the source client rather than from the Web Security appliance. IP spoofing works for transparent and explicitly forwarded traffic. When the Web Proxy is deployed in transparent mode, you have the choice to enable IP spoofing for transparently redirected connections only or for all connections (transparently redirected and explicitly forwarded). If explicitly forwarded connections use IP spoofing, you should ensure that you have appropriate network devices to route return packets back to the Web Security appliance. When IP spoofing is enabled and the appliance is connected to a WCCP router, you must configure two WCCP services: one based on source ports and one based on destination ports.


 biOos