Introduction
Este documento descreve um problema comum encontrado ao configurar o Cisco Cloud Web Security (CWS) (anteriormente conhecido como ScanSafe) em Cisco Adaptive Security Appliances (ASAs) versões 9.0 e posteriores.
Com o CWS, o ASA redireciona transparentemente HTTP e HTTPS selecionados para um servidor proxy do CWS. Os administradores podem permitir, bloquear ou avisar os usuários finais para protegê-los contra malware com a configuração apropriada das políticas de segurança no portal CWS.
Prerequisites
Requirements
A Cisco recomenda que você tenha conhecimento dessas configurações:
- Cisco ASAs via CLI e/ou Adaptive Security Device Manager (ASDM)
- Cisco Cloud Web Security no Cisco ASAs
Componentes Utilizados
As informações neste documento são baseadas no Cisco ASAs.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Diagrama de Rede
Problema
Um problema comum encontrado ao configurar o Cisco CWS no ASA ocorre quando os servidores da Web internos ficam inacessíveis através do ASA. Por exemplo, aqui está um exemplo de configuração que corresponde à topologia ilustrada na seção anterior:
hostname ASA1
!
<snip>
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
<snip>
object network inside-network
subnet 192.168.1.0 255.255.255.0
object network web-server
host 192.168.1.10
!
<snip>
access-list outside_access_in permit tcp any host 192.168.1.10 eq www
access-list outside_access_in permit tcp any host 192.168.1.10 eq https
access-list http-traffic extended permit tcp any any eq www
access-list https-traffic extended permit tcp any any eq https
!
<snip>
scansafe general-options
server primary fqdn proxy193.scansafe.net port 8080
server backup fqdn proxy1363.scansafe.net port 8080
retry-count 5
license <license key>
!
<snip>
object network inside-network
nat (inside,outside) dynamic interface
object network web-server
nat (inside,outside) static 10.1.1.10
!
access-group outside_access_in in interface outside
!
<snip>
class-map http-class
match access-list http_traffic
class-map https-class
match access-list https_traffic
!
policy-map type inspect scansafe http-pmap
parameters
http
policy-map type inspect scansafe https-pmap
parameters
https
!
policy-map outside-policy
class http-class
inspect scansafe http-pmap fail-close
class https-class
inspect scansafe https-pmap fail-close
!
service-policy outside-policy interface inside
Com essa configuração, o servidor web interno externo que usa o endereço IP 10.1.1.10 pode se tornar inacessível. Esse problema pode ser causado por vários motivos, como:
- O tipo de conteúdo hospedado no servidor Web.
- O certificado SSL (Secure Socket Layer) do servidor Web não é confiável pelo servidor proxy CWS.
Solução
O conteúdo hospedado em qualquer servidor interno é geralmente considerado confiável. Portanto, não é necessário verificar o tráfego para esses servidores com CWS. Você pode adicionar tráfego a esses servidores internos na lista permitida com esta configuração:
ASA1(config)# object-group network ScanSafe-bypass
ASA1(config-network-object-group)# network-object host 192.168.1.10
ASA1(config-network-object-group)# exit
ASA1(config)# access-list http_traffic line 1 deny tcp
any object-group ScanSafe-bypass eq www
ASA1(config)# access-list https_traffic line 1 deny tcp
any object-group ScanSafe-bypass eq https
Com essa configuração, o tráfego para o servidor web interno em 192.168.1.10 nas portas TCP 80 e 443 não são mais redirecionados para os servidores proxy CWS. Se houver vários servidores desse tipo na rede, você poderá adicioná-los ao grupo de objetos chamado ScanSafe-bypass.
Configuração final
Aqui está um exemplo da configuração final:
hostname ASA1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
object network inside-network
subnet 192.168.1.0 255.255.255.0
object network web-server
host 192.168.1.10
object-group network ScanSafe-bypass
network-object host 192.168.1.10
!
access-list outside_access_in permit tcp any host 192.168.1.10 eq www
access-list outside_access_in permit tcp any host 192.168.1.10 eq https
access-list http_traffic deny tcp any object-group ScanSafe-bypass eq www
access-list http-traffic extended permit tcp any any eq www
access-list https_traffic deny tcp any object-group ScanSafe-bypass eq https
access-list https-traffic extended permit tcp any any eq https
!
scansafe general-options
server primary fqdn proxy193.scansafe.net port 8080
server backup fqdn proxy1363.scansafe.net port 8080
retry-count 5
license
!
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
!
object network inside-network
nat (inside,outside) dynamic interface
object network web-server
nat (inside,outside) static 10.1.1.10
!
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 10.1.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
class-map http-class
match access-list http_traffic
class-map https-class
match access-list https_traffic
!
policy-map type inspect scansafe
http-pmap
parameters
http
policy-map type inspect scansafe https-pmap
parameters
https
!
policy-map inside-policy
class http-class
inspect scansafe http-pmap fail-close
class https-class
inspect scansafe https-pmap fail-close
!
service-policy inside-policy interface inside
Informações Relacionadas