search cancel

Web Security Service Legacy IPSEC Connectivity Instructions - Cisco ASA

book

Article ID: 174263

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Symantec tested and validated that Cisco® router devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the pre-shared secret method, which requires a unique gateway IP address (no NAT-T). 

Version Demonstrated:

  • ASA5510
  • Cisco ASDM 7.1(1)

This procedure provides a guideline configuration that you can apply to the above model or other Cisco models. It is likely that you have an existing Cisco device configured in your network; therefore, slight alterations to the existing deployment might be required. 

 

Environment

Deployment Notes

  • The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
  • The device must have an external routable IP address. 
  • Do not send Auth Connector traffic to the Web Security Service.
  • You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
  • The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.
  •  

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Resolution

Prerequisite—Verify that the router is ready for configuration.

This procedure assumes that the Cisco ASA device is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service. 

  1. Select the Configuration > Interfaces > Switch Ports tab.
  2. Verify the list has one interface is required for the outside (Web Security Service) connection and as many available interfaces for inside routes (see planning sheet).

Step 1—Create a site-to-site connection profile.

  1. Access the Connection Profile dialog.

    1. Select Configuration.
    2. Click Site-to-Site VPN.
    3. Select Enable inbound VPN sessions....
    4. In the Connection Profiles area, click Add. The device displays the Add IPsec Site-to-Site
      Connection Profile dialog.
  2. Configure the IPsec site-to-site connection profile.
    1. Select the Peer IP Address: Static option and enter the regional Web Security Service primary IP address
      for this location (refer to your planning sheet). The Connection Name (selected by default) automatically fills
      in the same information.
    2. For the Interfaceoption, select outside.
    3. For the Protected Networks: Local Network option, select inside-network.
    4. The Protected Networks: Remote Network setting depends on the Access Method:
      • For stand-alone deployments, select any.
      • For Trans-Proxy deployments, refer to About Trans-Proxy (Explicit Proxy Over IPsec) for options.
    5. Enter the Pre-shared Key, which is the string used to secure the encrypted tunnel between the router and the Web Security Service.
      Tip: The PSK must be at least eight characters and cannot use special characters.
    6. Remain in the IPsec Site-to-Site Connection Profile dialog and proceed to Step 3.
  3. In the left pane, select Advanced > Crypto Maps.
    1. Enable the Perfect Forward Secrecy option.
    2. For Diffie-Hellman Group, select group5.
    3. Clear the NAT-T option.
    4. Click OK.
  4. Still in the Add IPsec Site-to-Site Connection Profile, click IKE Policy: Manage. The device displays the Configure IKE v1 Policies dialog.

    The recommended Encryption Algorithm: IKE Policy values have top-level (or high) priority. The Web Security Service supports many combinations. See See Reference: IKE Encryption and Authentication Algorithms.
    1. Edit an existing policy or Add a new one. The device displays the IKE Policy dialog. Select the
      recommended parameters.
    2. For Authentication, select pre-share.
    3. Select an Encryption value.
    4. For D-H Group (Diffie-Hellman), select 5.
    5. Select a Hash value.
    6. Set the Lifetime value to under 4 hours (14400 seconds).
    7. Click OK in both dialogs to close.
    8. Remain in the IPsec Site-to-Site Connection Profile dialog.
  5. The Cisco device-to-Web Security Service access method requires selecting a supported IPsec Proposal. Cisco references groups of these as transform sets. Click Advanced > IPsec Proposal.
    1. Edit an existing policy or Add a new one. The device displays the IKE Policy dialog. Select the
      recommended parameters.
    2. Name the proposal so that you can identify it in a long list. For example, Cloud_AES256SHA.
    3. For Mode, select Tunnel.
    4. Select an ESP Encryption.
    5. Select an ESP Authentication.
    6. Click OK in both dialogs to close.
    7. Remain in the IPsec Site-to-Site Connection Profile dialog.
  6. Click OK to create the Connection Profile, which should look similar to this:

Step 2—Create the IPsec connection rule for HTTP and HTTPS traffic

  1. Select Configuration > Site-to-Site VPN > Crypto Maps. You must modify Service to include the HTTP and
    HTTPS protocols.
    1. Select the Crypto Map that you configured in Step 1.5.
    2. Click Edit. The device displays the Edit IPsec Rule dialog.
  2. On the Tunnel Policy (Crypto Map) - Basic tab, verify that the configuration information was automatically copied
    from Step 1.
  3. Set the Destination Criteria: Service protocols to HTTP and HTTPS.
    1. Select the Traffic Selection tab.
    2. For Service, click the browse icon. The device displays the Browse Service dialog.
    3. Add the Scroll the list or Filter to HTTP and HTTPS.
    4. Select them and click Service to add them to this policy.
    5. Click OK. The completed Crypto Map should appear as follows:
  4. Navigate to Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps
    > Policy. Verify that the Use the configured rules to match a certificate to a Connection Profile option is cleared.

Step 3—Create Firewall NAT Rules (HTTP and HTTPS) that Forward Traffic to the Web Security
Service

  1. Select Configuration > Firewall > NAT Rules.
  2. Click Add and select Add NAT Rule Before "Network Object" NAT Rules.
  3. Define the HTTP rule.
    1. Set the Source Address option to Any.
      Tip: To test the Web Security Service connectivity before adding all users, enter a single IP address of a client system that has web access from your network
      egress point. After successful testing, return to this configuration and change to Any.
    2. Set the Service option to the HTTP service object that you created in Step 2.3.
    3. Click OK.
  4. Repeat the above sub-step 3 to create a NAT rule for the HTTPS service object.
    The completed rules should look similar to the following.

Step 4—Verify the WSS Service Connection

To verify the IPsec site-to-site tunnel connection, select Monitoring > VPN > VPN Statistics > Sessions.

Attachments