Cisco Web Security (CWS)

Cisco Web Security (formerly ScanSafe) is a cloud based Web Filtering solution. It works pretty well and integrates with Anyconnect so travelling users will also get the policy. Here’s a basic config (on ASA).

One of the things we have to do is configure an ACL on our ASA to permit Cisco’s servers access to our Active Directory. The servers perform an LDAP lookup for the username and group membership. You can get the list of servers from your ScanSafe portal.

object-group network SCANSAFE_TOWERS
description Permit CWS Towers to access LDAP for Authentication
network-object host
network-object host
network-object host
network-object host
network-object host
network-object host
network-object host

Best practice dictates that you create a source (ie one of your internal hosts) whitelist and a destination (ie a public host) whitelist.

object-group network SOURCE_WHITELIST
description Hosts that are whitelisted
network-object host

We specifically whitelist internal sites so they will never be blocked.

object-group network DESTINATION_WHITELIST
description Websites/IP's that are whitelisted
group-object RFC-1918

object-group network RFC-1918

Finally we create the access list. Note that we only specify TCP 80 and TCP 443 since that is the only currently support protocols.

access-list HTTP extended deny tcp object-group SOURCE_WHITELIST any eq www 
access-list HTTP extended deny tcp any object-group DESTINATION_WHITELIST eq www 
access-list HTTP extended permit tcp any any eq www 
access-list HTTPS extended deny tcp object-group SOURCE_WHITELIST any eq https 
access-list HTTPS extended deny tcp any object-group DESTINATION_WHITELIST eq https 
access-list HTTPS extended permit tcp any any eq https

Next we start the CWS configuration. The server and port that you need to entered should be provided by you from Cisco via email when you sign up for the service. The license key will also be included in that email and it is also available in the portal. You will need to configure DNS (internal) on the ASA as well.

scansafe general-options
 server primary fqdn port 8080
 server backup fqdn port 8080
 retry-count 5
 license ************** encrypted

Our next step is to configure AAA on the ASA and have it point to our Active Directory. This example covers connecting to one server. For redundancy configure a minimum of two.

aaa-server ActiveDirectory (inside) host MY-DC1
 server-port 389
 ldap-base-dn DC=packetpros,DC=com
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn CN=ldap-asa,OU=Accounts-Service,OU=Accounts,DC=packetpros,DC=com
 server-type microsoft
 ldap-attribute-map LDAP-MAPS

Next we create an LDAP MAP. This allows us to have different AD groups map to different policies. For example if you’re a member of the ‘Users – Web Security’ group you will be mapped to the RegularUsers policy.

ldap attribute-map LDAP-MAPS
 map-name memberOf IETF-Radius-Class
 map-value memberOf "CN=Users - Web Security,OU=Security,OU=Groups,DC=packetpros,DC=com" RegularUsers
 map-value memberOf "CN=Vendors - Web Security,OU=Security,OU=Groups,DC=packetpros,DC=com" NoCWS-GroupPolicy
 map-value memberOf "CN=Users - ANYCONNECT,OU=Security,OU=Groups,DC=packetpros,DC=com" GroupPolicy_ssl-vpn

Our next step is to configure the firewall for Identity. We use CDA for this. We configure the ‘user-group’ to permit/deny users to specific sites. For example anyone that is a member of “CWS – Facebook” can access Facebook. If a user is not a member of the group, they will continue down the list and down the CWS policy to determine an action.

user-identity domain PACKET aaa-server ActiveDirectory
user-identity default-domain PACKET 
user-identity action netbios-response-fail remove-user-ip
user-identity ad-agent aaa-server CDA-AGENT
user-identity user-not-found enable
user-identity monitor user-group "PACKET\\CWS - Facebook"

Alright we’re almost there. We need to create a class map that contains the ACL’s we built earlier.

class-map HTTPS-CWS
 match access-list HTTPS
class-map HTTP-CWS
 match access-list HTTP

Now we configure the policy maps so we can apply them to the service policy next.

policy-map type inspect scansafe HTTPS-PMAP
  default group TCP-443
policy-map type inspect scansafe HTTP-PMAP
  default group TCP-80

And the policy map. We can fail-open (permit all web traffic) or fail-close (deny all web traffic).

policy-map inside-policy
 class HTTP-CWS
  inspect scansafe HTTP-PMAP fail-open
  inspect scansafe HTTPS-PMAP fail-open

The last step is to apply the service policy to the inside interface.

service-policy inside-policy interface inside

We can test everything is working properly by opening a web browser and entering the URL of You should receive a page that lists your username, what groups you belong to, etc.

authUserName: CISCO\user
authenticated: true
companyName: Cisco
connectorGuid: ABC012345AB
connectorVersion: AP_ASA-x.x(x)
countryCode: US
groupNames: []
logicalTowerNumber: 1782
– CISCO\Group
userName: CISCO\user