Virtual Secure Web Gateway

 View Only

  • 1.  How to configure Cisco ASA for SWG INLINE + PROXY mode

    Posted Jul 13, 2011 03:10 PM
      |   view attached

    Hello everyone.

    I have a client who needs to implement SWG INLINE + PROXY mode. The client should connect the WAN port of SWG in one of the ports CISCO ASA. The segment that was assigned to the configuration INLINE LAN / WAN is 172.22.10.100/24.
    MGMT port 172.22.203.100/24 ​​this segment.
    SWG is in TRUNK mode on VLAN ID 10, for example.

    According to the network administrator can not assign an IP address segment 172.22.10.X/24 by security policies. Which casts doubt me, because if I remember, you can set an ACL to grant access to or any proxy server SWG without risk to security.

    The configuration of SWG INLINE LAN / WAN would be:

    IP: 172.22.10.100
    NM: 255.255.255.0
    DG: 172.22.10.5

    In my case I suggest the customer to apply the following settings:

    Firewall outside interface: 200.X.X.X/24
    Firewall inside interface: 172.22.10.5/24
    SWG ip address: 172.22.10.100/24

    nat (inside) 1 172.22.10.100 255 255 255 255
    global (outside) 1 interface
    access-list permit udp host 172.22.10.100 acl_inside Any eq 53
    accessw-list permit tcp host 172.22.10.100 acl_inside Any eq 80
    accessw-list permit tcp host 172.22.10.100 acl_inside Any eq 443
    accessw-list permit tcp host 172.22.10.100 acl_inside Any eq 21
    acl_inside access-list deny ip any any log
    access-group inside in interface acl_inside

    I attached a picture with a brief outline of how to implement it.


    I come to you so that anyone who already has been implemented in a similar environment (not a complex environment) and settings should be applied to Cisco ASA.

    Thank you all!



  • 2.  RE: How to configure Cisco ASA for SWG INLINE + PROXY mode
    Best Answer

    Posted Jul 16, 2011 10:30 PM

    Because it was decided to make the change of IP address within the same segment of the WAN port of SWG, the following configuration was done. Various tests were performed and these were with satisfactory results.
    NAT was applied on the IP address of the MGMT ports and LAN / WAN.
     

     

    The following configuration was applied on Administration> Configuration> Network.

    Mode: INLINE + PROXY
    Management Port Settings:

    IP Address: 172.22.253.2xx (This address is NAT in the Core Switch)
    MGT Name: Webgateway
    Subnet Mask: 255.255.255.0
    Default Gateway: 172.22.253.1

    LAN / WAN 1
    Inline IP Address: 192.168.11.20X (this address is NATin the ASA)
    Inline Name: SymantecProxy
    Inline Subnet Mask: 255.255.255.0
    Inline Default Gateway: 192.168.11.201 (This is the IP address of the port of ASA).

    SWG is installed in trunk interface: NO

    Primary DNS: 172.22.10.X
    Secondary DNS: 172.22.10.X

    static Routes
    Apply Static Routes to Internal Networks

    Destination: 172.22.0.0
    Netmask: 255.255.0.0
    Gateway: 192.168.11.1


    Internet browsers of users solve the interface name of LAN / WAN. Filters and apply policies correctly. Users are authenticated via resolved and NTLM properly.

    Static route was applied as the segment of all customers by applying a class B to the gateway of the port to setup the ASA to the WAN port of SWG.

    Share them with you as a solution, if one is presented with a similar environment.

    Greetings!