Backgroound Image

Cisco ISR Project – Cloud Web Security config (13 of ?)

In our deployment each location will have a dedicated internet connection.  Since we want to restrict access to specific URLs (sorry, no porn, no Netflix, and no Facebook) we need each location to have a filter in place.  However, that seems cumbersome to manage.  It would be nice to have a centralized management point for all locations, as they will all have the same policy.

Enter Cisco Cloud Web Security.  There is an ISR connector that routes all web traffic through Cisco datacenters where traffic policies are applied.  First things first, this is a subscription-based service, so a subscription must be purchased.  Once that is done and the account is set up (the purchaser will receive a couple e-mails on account creation and provisioning) then it’s time to get things moving.

Before starting the configuration two things must be done. A company key needs to be created, and a certificate needs to be downloaded.  To create the key log in to the CWS portal and click the Admin tab, then in the menu bar select Management, and then click Company Key.

Company Key

Make sure you store the company key in a secure location.  If you lose it you will need to revoke and regenerate it, which means that all devices will also need to be reconfigured.

There should also be an e-mail sent with a certificate that must be installed on the router to establish the CWS tunnel.

Now on to the actual configuration.  You will need to have the following information handy:

  • CWS certificate
  • LAN subnet
  • Tower 1 IP
  • Tower 2 IP
  • Company key

First, the certificate install.  From a config prompt run these commands:

crypto pki trustpoint cws-trustpoint
revocation-check none
enrollment terminal
cry pki authenticate cws-trustpoint

It will prompt you to enter the certificate.  Paste in the certificate (including the Begin and End lines).  After the certificate enter a blank line and then hit the Enter key.  It should then prompt to accept the new certificate.

The next step is to create a couple ACLs.  The first is a simple ACL to specify the source LAN, and the second is a whitelist of IP addresses to avoid CWS.

access-list 80 permit      

ip access-list extended cws-whitelist
 permit tcp any
 permit tcp any
 permit tcp any

Make sure to enter the correct LAN subnet in ACL 80.  If there are any additional IPs that should be added to the whitelist then add them to the cws-whitelist ACL.

Next is importing the Cisco CWS certificate from Cisco.  This does require external access and DNS to be configured on the router.  Here’s the command for that import:

crypto pki trustpool import url

Now comes the actual CWS tunnel configuration:

parameter-map type cws-tunnel global
tower ipv4                                              
tower ipv4                                             
license 0  123123123123                                             
redirect-list 80
download interval 10
acl name cws-whitelist

Make sure to set the correct Tower IPs, and enter the Company Key that was generated through the CWS portal.  One thing to be aware of is the “fail-open” line.  This line configures the router to allow all web traffic if there is a CWS failure.  This can be configured to drop all traffic by changing it to “fail-close”

Almost done, the next step is to set the inbound and outbound interfaces for the tunnel.

int gi0/0/0cws-tunnel in

int gi0/0/1cws-tunnel out tunnel-number 150

For each interface (and sub-interface) that will have end-user traffic that needs to be filtered use the “cws-tunnel in” command.  For the outbound connection the tunnel number must be specified.  This will automatically create two tunnels, one for the tunnel number specified, and another tunnel that is incremented by 1.  In the example above tunnel 150 would be created as primary, and tunnel 151 would be created as a backup.  The primary tunnel uses the destination of Tower 1, and the backup uses the Tower 2 IP.

Last comes some commands to make CWS play nice with the IWAN configuration that’s been done so far.  Since there are VRFs, and ZBF rules there are some extra steps.

Configure the IKE profile to use the IWAN-SECONDARY VRF:

crypto ikev2 profile cws_ikev2_profile_150
 match fvrf IWAN-SECONDARY

Create a route map for routes back to the inside network:

route-map INET-Internal permit 10
 description Return routing for Local Internet Access
 match ip address InternalNetworks
 set global

The last step is to apply the VRF, route map, and zone membership.

interface Tunnel150
 description CWS connector internal primary tunnel
 ip vrf forwarding IWAN-SECONDARY
 tunnel vrf IWAN-SECONDARY
 zone-member security Internet
 ip policy route-map INET-Internal 

interface Tunnel151
 description CWS connector internal secondary tunnel
 ip vrf forwarding IWAN-SECONDARY
 tunnel vrf IWAN-SECONDARY
 zone-member security Internet
ip policy route-map INET-Internal

Running the command “show cws-tunnel status” should show the tunnel as being UP-ACTIVE

From a client machine you should be able to browse to and see the correct Company name.