IronPort Web Security Appliance (WSA) with Cisco ASA (Filtering)





Technology Overview

The Cisco IronPort Web Security Appliance (WSA) is a web proxy that works
with other Cisco network components to monitor and control outbound
requests for Web content and scrubs return traffic for unwanted or malicious
content (Figure 1).
Figure 1. Logical Traffic Flow Using WSA

The Cisco WSA is deployed on a network using one or more interfaces that
are used to forward requests and responses. Traffic can be directed to the
WSA using either explicit proxies configured on the end host, or using a
network protocol like Web Cache Control Protocol (WCCP) running on an
inline device like the perimeter firewall or router.








Configration example


1. Allow the Ironport out through the firewall:

access-list acl_inside extended permit tcp host 192.168.1.1 any 

2. Create a new acl containing the members of the wccp group. in our example, it is just 1 Ironport

access-list ironport-allow extended permit ip host 192.168.1.1 any

3. Create an acl that defines what traffic should be redirected to the Ironport

access-l ironport-forward extended permit tcp 192.168.1.0 255.255.255.0 any eq http

4. Configure wccp

wccp web-cache group-list ironport-allow redirect-list ironport-forward

5. Enable wccp on an interface.

wccp interface inside web-cache redirect in

6. Confirm configuration

show wccp

On the Ironport:
Network>Transparent Redirection
Choose WCCP v2 router> click Submit
Select Add service
Click Create a standard service ID, enter the ASA IP address in the box provided

Submit changes

Comments

  1. UnknownJune 20, 2013 at 11:22 PM

    Hi,

    Our company has installed Cyberoam Web Filtering that detects and blocks third-party proxy and tunnelling software, Google cache pages, embedded URLs and ‘safe search’ over search engines to prevent harmful websites from appearing in search results. is the product better than Cisco ASA (Filtering), please let me know,

    ReplyDelete

Post a Comment

Popular posts from this blog

Cisco asa activation key issue

"the client has got a replacement on asa. should get a new activation key . old key will work only with old asa not the new asa(Replacement)" client error "Our team tried to log a call of firewall for the location where it was replaced, but it is showing the below error. The service you have requested is outside of service parameters associated with Cisco.com profile  ACC CMU Bargarh Firewall JMX1235L2FX " Solution First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team. Lost activation-key:  The activation-key can be regenerated by licensing team. You need to send the serial number and/or PAK number to  licensing@cisco.com  . May be licensing team could request from you different information like contract number in case. License key is correct, but not take effect:  If you see the correct act
Read more

Compare Barracuda Firewalls

Image
Compare Barracuda Firewalls Models: X100 X200 X300 X400 X600 CAPACITY Maximum Firewall Throughput 800 Mbps 1.0 Gbps 1.5 Gbps 2.5 Gbps 5.0 Gbps VPN Throughput 100 Mbps 200 Mbps 300 Mbps 400 Mbps 700 Mbps IPS Throughput 100 Mbps 200 Mbps 300 Mbps 800 Mbps 2.0 Gbps Maximum Concurrent Sessions 8,000 60,000 120,000 300,000 500,000 Maximum New Sessions 2000 8,000 12,000 15,000 20,000 HARDWARE : Form Factor Desktop Desktop 1U Rack Mount 1U Rack Mount 1U Rack Mount Dimensions (in.) 10.7 x 7.7 x 1.7 10.7 x 7.7 x 1.7 16.8 x 9.4 x 1.7 16.8 x 15.9 x 1.7 16.8 x 15.9 x 1.7 Weight (lbs.) 5.1 5.1 7.5 11.3 11.3 Ports 4 x GbE copper 4 x GbE copper 6 x GbE copper 8 x GbE copper 8 x GbE copper Power Supply Single external Single external Single internal Single internal Single internal Integrated Wi-Fi Access Point X101 X201 - - - 3G USB Modem Optional Optional Optional Optional Optional FEATURES: Firewall IPSec VPN (Client-to-site) IPSec VPN (Site-to-site) Application
Read more