ASA Traffic Exclusion from CWS Inspection with FQDN Configuration Example [Cisco Cloud Web Security]

Document ID: 116437

Updated: Sep 26, 2013

Contributed by Justin Teixeira, Cisco TAC Engineer.

Download PDF

Initial Configuration

Final Configuration

Verify

Troubleshoot

Introduction

This document describes how to configure a Cisco Adaptive Security Appliance (ASA) Connector in order to exclude traffic from Cloud Web Security (CWS) inspection based on the Fully Qualified Domain Name (FQDN). It is often advantageous to exclude certain sites from CWS inspection entirely (in order to bypass the service and forward the requests to the destination) if the sites in question are mission-critical and/or trusted absolutely. This decreases load and overhead on the Connector device, eliminates a point of failure, and increases speed when you access the sites. Each Connector technology has a unique way to configure exclusions.

Prerequisites

Requirements

This document assumes that the ASA is already configured for basic network connectivity and CWS service.

Components Used

The information in this document is based on these software and hardware versions:

ASA Versions 9.0 and Later
All ASA Models

The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.

Configure

Before you configure FQDN-based exclusions, the ASA must be configured with a valid Domain Name Server (DNS). In order to configure name lookup, enter these commands:
```
asa(config)# domain-name <company domain>
asa(config)# dns server-group DefaultDNS
asa(config-dns-server-group)# name-server <DNS Server IP>
asa(config-dns-server-group)# dns domain-lookup <interface-name>
```
Replace the <company domain> field with the domain in which the ASA resides. The <DNS Server IP> is the address of a functional DNS server which the ASA can reach, and the <interface-name> is the name of the interface from which the DNS server can be found.
In order to verify the DNS lookup functionality, enter the ping command. The ping command should be able to resolve the provided name to an IP address.
```
asa# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.84, timeout is 2 seconds:
!!!!!
```

In order to define a network-object for each FQDN that should be excluded from CWS inspection, enter these commands:

Note: This example creates exemptions for Google.com, Purple.com, and M.YouTube.com.

asa(config)# object network google.com-obj
asa(config-network-object)# fqdn google.com
asa(config-network-object)# object network purple.com-obj
asa(config-network-object)# fqdn purple.com
asa(config-network-object)# object network m.youtube.com-obj
asa(config-network-object)# fqdn m.youtube.com

In order to tie the objects together into a single object group, enter these commands:

Note: This example refers to the group as CWS_Exclusions.

asa(config)# object-group network CWS_Exclusions
asa(config-network-object-group)# network-object object google.com-obj
asa(config-network-object-group)# network-object object purple.com-obj
asa(config-network-object-group)# network-object object m.youtube.com-obj

Add an Access Control List Extension (ACLE) to the Access Control List (ACL) referenced by the CWS class map. For example, the current access list might look like this:

access-list http-c extended permit tcp any any eq www
access-list http-c extended permit tcp any any eq 8080

In order to add the exemptions, place a deny entry at the top of the list that references the object group created in step 4:

asa(config)# access-list http-c line 1 extended deny ip any object-group 
CWS_Exclusions

In order to verify that the access-list has been constructed correctly, enter the show access-list command:

asa# show access-list http-c
access-list http-c; 4 elements; name hash: 0xba5a06bc
access-list http-c line 1 extended deny ip any object-group CWS_Exclusions 
   (hitcnt=0) 0x6161e951 
   access-list http-c line 1 extended deny ip any fqdn google.com (unresolved) 
   (inactive) 0x48f9ca9e 
   access-list http-c line 1 extended deny ip any fqdn purple.com (unresolved) 
   (inactive) 0x1f8c5c7c 
   access-list http-c line 1 extended deny ip any fqdn m.youtube.com (unresolved) 
   (inactive) 0xee068711 
access-list http-c line 2 extended permit tcp any any eq www (hitcnt=0) 
0xe21092a9
access-list http-c line 3 extended permit tcp any any eq 8080 (hitcnt=0) 
0xe218c5a3

Note: The output from the show access-list command expands the object group, which allows you to verify that all of the intended FQDNs are present in the completed list.

Configurations

Initial Configuration

This configuration only contains the relevant lines.

...
access-list http-c extended permit tcp any any eq www
access-list http-c extended permit tcp any any eq 8080
!
scansafe general-options
 server primary ip 192.168.100.1 port 8080
 retry-count 5
 license eNdoHF0rNadO4kSf encrypted
!
class-map CWS_HTTP_Traffic
 match access-list http-c
!
policy-map type inspect scansafe CWS_HTTP
 parameters
  default group Default_ASA_Group
  http
policy-map CWS_HTTP_Inspection
 class CWS_HTTP_Traffic
  inspect scansafe CWS_HTTP fail-open 
!
service-policy CWS_HTTP_Inspection interface Inside
...

Final Configuration

This configuration only contains the relevant lines.

...
domain-name company.com
dns server-group DefaultDNS
 name-server 10.0.0.1
dns domain-lookup Outside
!
object network google.com-obj
 fqdn google.com
object network purple.com-obj
 fqdn purple.com
object network m.youtube.com-obj
 fqdn m.youtube.com
!
object-group network CWS_Exclusions
 network-object object google.com-obj
 network-object object purple.com-obj
 network-object object m.youtube.com-obj
!
access-list http-c extended deny ip any object-group CWS_Exclusions
access-list http-c extended permit tcp any any eq www
access-list http-c extended permit tcp any any eq 8080
!
scansafe general-options
 server primary ip 192.168.100.1 port 8080
 retry-count 5
 license eNdoHF0rNadO4kSf encrypted
!
class-map CWS_HTTP_Traffic
 match access-list http-c
!
policy-map type inspect scansafe CWS_HTTP
 parameters
  default group Default_ASA_Group
  http
policy-map CWS_HTTP_Inspection
 class CWS_HTTP_Traffic
  inspect scansafe CWS_HTTP fail-open 
!
service-policy CWS_HTTP_Inspection interface Inside
...

Verify

In order to verify the access-list used in order to define traffic that is inspected by CWS, enter the show access-list <acl-name> command:

asa# show access-list http-c
access-list http-c; 17 elements; name hash: 0xba5a06bc
access-list http-c line 1 extended deny ip any object-group CWS_Exclusions 
(hitcnt=0) 0x6161e951 
  access-list http-c line 1 extended deny ip any fqdn google.com (resolved) 
  0x48f9ca9e 
  access-list http-c line 1 extended deny ip any fqdn purple.com (resolved) 
  0x1f8c5c7c 
  access-list http-c line 1 extended deny ip any fqdn m.youtube.com (resolved) 
  0xee068711 
  access-list http-c line 1 extended deny ip any host 153.104.63.227 (purple.com) 
  (hitcnt=0) 0x5b6c3170 
  access-list http-c line 1 extended deny ip any host 74.125.228.97 (m.youtube.com) 
  (hitcnt=0) 0x8f20f731 
  access-list http-c line 1 extended deny ip any host 74.125.228.98 (m.youtube.com) 
  (hitcnt=0) 0x110e4163 
  access-list http-c line 1 extended deny ip any host 74.125.228.99 (m.youtube.com) 
  (hitcnt=0) 0x5a188b6f 
  access-list http-c line 1 extended deny ip any host 74.125.228.100 (m.youtube.com) 
  (hitcnt=0) 0xa27504c4 
  access-list http-c line 1 extended deny ip any host 74.125.228.101 (m.youtube.com) 
  (hitcnt=0) 0x714d36b9 
  access-list http-c line 1 extended deny ip any host 74.125.228.102 (m.youtube.com) 
  (hitcnt=0) 0x158951c0 
  access-list http-c line 1 extended deny ip any host 74.125.228.103 (m.youtube.com) 
  (hitcnt=0) 0x734a5b42 
  access-list http-c line 1 extended deny ip any host 74.125.228.104 (m.youtube.com) 
  (hitcnt=0) 0xeeed1641 
  access-list http-c line 1 extended deny ip any host 74.125.228.105 (m.youtube.com) 
  (hitcnt=0) 0x0b4b1eb3 
  access-list http-c line 1 extended deny ip any host 74.125.228.110 (m.youtube.com) 
  (hitcnt=0) 0x2b0e5275 
  access-list http-c line 1 extended deny ip any host 74.125.228.96 (m.youtube.com) 
  (hitcnt=0) 0x315ed3b2 
access-list http-c line 2 extended permit tcp any any eq www 
(hitcnt=0) 0xe21092a9
access-list http-c line 3 extended permit tcp any any eq 8080 (hitcnt=0) 
0xe218c5a3

Note: The object group and the resolved addresses are expanded in the output.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Was this document helpful? Yes No

Open a Support Case Login Required (Requires a Cisco Service Contract.)

Related Cisco Support Community Discussions

The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.

Refer to Cisco Technical Tips Conventions for information on conventions used in this document.

Updated: Sep 26, 2013

Document ID: 116437

Cisco Cloud Web Security