CCIE Security lab: WSA – Restricting Bad

We are going to move away from the ISE for a moment and look at the WSA and how to permit/deny access to websites based on the name.


This is pretty much the process we will be following:

WSA traffic flow

The user makes a call to www.good.com or www.bad.com, which calls DNS, the traffic then heads via the switch up to the firewall, which will make a WCCP call to the WSA, and the permitted traffic will be passed up, and the denied traffic will get replaced with a denied message.

I can already get to the sites (see: https://www.802101.com/ccie-security-lab-access-to-www-server/):

good and bad

WSA initial setup

Setup is very straight-forward, just head onto the System Administration menu and select the wizard:

Cisco WSA initial setup

Here we can change the hostname:

WSA hostname
And design our topology a little:
WSA initial setup
It kinda craps out at this point (probably won’t do in the lab), but we can save the work so far and set up WCCP another way.

WSA WCCP Service setup

This can all be done via the menu.
WSA transparent redirection
The default is Layer-4:
WSA transparent redirection

We want it to be WCCP though, so click Edit and set it to WCCP:

WSA WCCP setup
We get a warning telling us that we need to add a service:

 

WSA WCCP setup

I am using a service ID of 100 (just because it’s a nice round number), and tell the WSA that we are interested in ports 80, 443 and 12345:

WSA WCCP setup
Note that the password can be up to 7 characters, so whilst I put “cisco123”, it truncated it. Make sure you commit your changes!
Make sure you commit the changes
WSA commit change
There is our new service:
WSA WCCP setup

ASA WCCP Service setup

I prefer to do this partly through the CLI and partly via the GUI. Using the MGMT-PC VM I could not access the https page for LON-FW1 until I ran the following commands:
no ssl encryption des-sha1
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

This allowed the PC to get to the page and download ASDM. After AGES (getting updated software), ASDM loaded.

We need two ACLs. One which contains a list of our WCCP servers (the WSA), and one to list the hosts, or networks we want to redirect through the WSA:

LON-FW1(config)# access-list wccp-clients extended permit ip host 192.168.90.200 any
LON-FW1(config)# access-list wccp-clients extended permit ip host 10.1.4.202 any
LON-FW1(config)# end
LON-FW1# sh access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside->in; 2 elements; name hash: 0x307dc218
access-list outside->in line 1 extended permit ip any any (hitcnt=1783) 0xa1b5c89f 
access-list outside->in line 2 extended permit icmp any any (hitcnt=0) 0x6d9415b4 
access-list wccp-servers; 1 elements; name hash: 0x7b83fa88
access-list wccp-servers line 1 extended permit ip host 10.1.4.203 any (hitcnt=0) 0x9d0812bf 
access-list wccp-clients; 2 elements; name hash: 0x94033d9d
access-list wccp-clients line 1 extended permit ip host 192.168.90.200 any (hitcnt=0) 0x48cd6322 
access-list wccp-clients line 2 extended permit ip host 10.1.4.202 any (hitcnt=0) 0xd2ff1466 
LON-FW1#

Let’s switch over to the GUI and set up WCCP:

ASA WCCP setup ASDM
Note that the Dynamic Service Number must match what we set up on the WSA, as does the password, the password can be longer than 7 characters here though. We then set up the redirection:
ASA WCCP setup ASDM
Let’s give it a whirl!

At first there was no communication between the ASA and the WSA, but this was due to the password mismatch (see Total Authentication failures below) – so keep it under 7 characters!

LON-FW1# sh wccp 

Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 100
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                wccp-clients
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       4
        Total Bypassed Packets Received:     0
LON-FW1#

Once this was corrected, things looked might better:

LON-FW1# sh wccp 

Global WCCP information:
    Router information:
        Router Identifier:                   163.4.4.254
        Protocol Version:                    2.0

    Service Identifier: 100
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp-clients
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       4
        Total Bypassed Packets Received:     0
LON-FW1#

Our WSA is taking the traffic:

WSA websites report

The next step is to block www.bad.com, which we will do through a custom URL category:

Setting up custom URLs in WSA

Click on Add:

Setting up custom URLs in WSA

Pop in the details and click on Submit. Click on Commit Changes on the next page.

Setting up custom URLs in WSA

We then need to set up an access policy, and place it above the existing default policy:

WSA Access policy

The WSA is a bit particular about naming the policy, so keep it simple, and set the URL filtering to the one set up a moment ago:

WSA Access policy

 

WSA Access policy

Our new policy should go at the top:

WSA Access policy

At this point, www.bad.com is set to “monitor”, so let’s change that, by clicking on Monitor under the URL filtering, and changing it from this:

WSA Access policy

To this:

WSA Access policy

Click submit, then commit the changes.

WSA page blocked

Bingo.

Let’s kick it up a notch and ONLY have Bob denied this page.

We need to create an identity for Bob, which will be done via his IP address:

WSA block based on identity

Looks good:

WSA identities

Commit that bad boy!

Head back over to the Security Policies, and change the Restrict Bad policy to have just the Bob identity:

WSA identity based policy

The policy member definition then changes:

WSA identity based policy

Commit changes and test.

We can see the results here:

WSA results

From the bottom up, we can see that initially both the MGMT-PC (192.168.90.200) and Bob (10.1.4.202) has access to the www.bad.com website. We added the URL category, which has a default of Monitor, and then we changed it and both then got blocked. From the last step, the MGMT-PC could access it, but Bob could not.

A resounding success!

It’s flawed though. What if Bob changes his IP address? He’s a sneaky f*cker like that! Well, we could add authentication instead.

This is an option under “Network”:

WSA AD realm

However, my WSA is not even in same time zone as AD, it’s not even in the same year (because of the license). So we can’t go down this route.

We’ll just have to hope that Bob behaves.

But that is the WSA folks, a quick and dirty look through. It’s not overly hard to set up, and this was all done within a couple of hours with just a bit of help from Google. Before we close this post off, here are the full ASA commands (a whopping 5 lines):

LON-FW1# sh run | i wccp
access-list wccp-servers extended permit ip host 10.1.4.203 any 
access-list wccp-clients extended permit ip host 192.168.90.200 any 
access-list wccp-clients extended permit ip host 10.1.4.202 any 
wccp 100 redirect-list wccp-clients group-list wccp-servers password *****
wccp interface inside 100 redirect in
LON-FW1#

Laters.