In our deployment each location will have a dedicated internet connection. Since we want to restrict access to specific URLs (sorry, no porn, no Netflix, and no Facebook) we need each location to have a filter in place. However, that seems cumbersome to manage. It would be nice to have a centralized management point for all locations, as they will all have the same policy.
Enter Cisco Cloud Web Security. There is an ISR connector that routes all web traffic through Cisco datacenters where traffic policies are applied. First things first, this is a subscription-based service, so a subscription must be purchased. Once that is done and the account is set up (the purchaser will receive a couple e-mails on account creation and provisioning) then it’s time to get things moving.
Before starting the configuration two things must be done. A company key needs to be created, and a certificate needs to be downloaded. To create the key log in to the CWS portal and click the Admin tab, then in the menu bar select Management, and then click Company Key.
Company Key |
Make sure you store the company key in a secure location. If you lose it you will need to revoke and regenerate it, which means that all devices will also need to be reconfigured.
There should also be an e-mail sent with a certificate that must be installed on the router to establish the CWS tunnel.
Now on to the actual configuration. You will need to have the following information handy:
- CWS certificate
- LAN subnet
- Tower 1 IP
- Tower 2 IP
- Company key
First, the certificate install. From a config prompt run these commands:
crypto pki trustpoint cws-trustpoint
revocation-check none
enrollment terminal
exit
cry pki authenticate cws-trustpoint
It will prompt you to enter the certificate. Paste in the certificate (including the Begin and End lines). After the certificate enter a blank line and then hit the Enter key. It should then prompt to accept the new certificate.
The next step is to create a couple ACLs. The first is a simple ACL to specify the source LAN, and the second is a whitelist of IP addresses to avoid CWS.
access-list 80 permit 1.2.3.4 0.0.0.0
ip access-list extended cws-whitelist
permit tcp any 10.0.0.0 0.255.255.255
permit tcp any 172.16.0.0 0.31.255.255
permit tcp any 192.168.0.0 0.0.255.255
Make sure to enter the correct LAN subnet in ACL 80. If there are any additional IPs that should be added to the whitelist then add them to the cws-whitelist ACL.
Next is importing the Cisco CWS certificate from Cisco. This does require external access and DNS to be configured on the router. Here’s the command for that import:
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b
Now comes the actual CWS tunnel configuration:
parameter-map type cws-tunnel global
primary
tower ipv4 1.2.3.4
secondary
tower ipv4 1.2.3.4
license 0 123123123123
redirect-list 80
whitelist
download interval 10
acl name cws-whitelist
fail-open
Make sure to set the correct Tower IPs, and enter the Company Key that was generated through the CWS portal. One thing to be aware of is the “fail-open” line. This line configures the router to allow all web traffic if there is a CWS failure. This can be configured to drop all traffic by changing it to “fail-close”
Almost done, the next step is to set the inbound and outbound interfaces for the tunnel.
int gi0/0/0cws-tunnel in
int gi0/0/1cws-tunnel out tunnel-number 150
For each interface (and sub-interface) that will have end-user traffic that needs to be filtered use the “cws-tunnel in” command. For the outbound connection the tunnel number must be specified. This will automatically create two tunnels, one for the tunnel number specified, and another tunnel that is incremented by 1. In the example above tunnel 150 would be created as primary, and tunnel 151 would be created as a backup. The primary tunnel uses the destination of Tower 1, and the backup uses the Tower 2 IP.
Last comes some commands to make CWS play nice with the IWAN configuration that’s been done so far. Since there are VRFs, and ZBF rules there are some extra steps.
Configure the IKE profile to use the IWAN-SECONDARY VRF:
crypto ikev2 profile cws_ikev2_profile_150
match fvrf IWAN-SECONDARY
Create a route map for routes back to the inside network:
route-map INET-Internal permit 10
description Return routing for Local Internet Access
match ip address InternalNetworks
set global
The last step is to apply the VRF, route map, and zone membership.
interface Tunnel150
description CWS connector internal primary tunnel
ip vrf forwarding IWAN-SECONDARY
tunnel vrf IWAN-SECONDARY
zone-member security Internet
ip policy route-map INET-Internal
interface Tunnel151
description CWS connector internal secondary tunnel
ip vrf forwarding IWAN-SECONDARY
tunnel vrf IWAN-SECONDARY
zone-member security Internet
ip policy route-map INET-Internal
Running the command “show cws-tunnel status” should show the tunnel as being UP-ACTIVE
From a client machine you should be able to browse to http://whoami.scansafe.net and see the correct Company name.