Installing Cisco WSA

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 2nd post in the series.
Installation of the (virtual) WSA is straight forward. I’ll cover the most important and critical steps in a basic installation.
Hardware appliance
A hardware appliances has 5 interfaces, connect the required interface to your network:

  • T1 + T2 (used for L4TM only)
  • P1 + P2  (used for web proxy)
  • M1 (management or web proxy)

Virtual appliance
The virtual appliance is downloadable as a OVF file. Import the OVF file into you VMWare servers with the specifications as described in the previous blog post.
Configuration
Your first basic installation starts with connecting to the M1 port and browse to: http://192.168.42.42:8080 and login with these default credentials:

  • username: admin
  • password: ironport

You can also connect with SSH with the same login credentials. Start the interface config with the interfaceonfig command:

  • Run edit command
  • enter number 1
  • Enter IP address, netmaks and hostname.

Run  Setgateway
Select the M1 interface and enter the IP of the default gateway.
Don’t forget to commit the changes with the commit command. This is only needed for CLI configuration.
And the WSA appliance is up and running!
installation done
Read more

Cisco WSA Defending Malware

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the last post in the series.
Malware.. we all know that we don’t want it. But how do we block it?
All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.
Note: these features are licensed!
Read more

Workaround: BUG in ASA IOS 8.4(4) and 8.4(5) adding network-object-nat

When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:

ERROR: NAT Policy is not downloaded

There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.
But.. there is a workaround available!
Read more