We are going to move away from the ISE for a moment and look at the WSA and how to permit/deny access to websites based on the name.
This is pretty much the process we will be following:
The user makes a call to www.good.com or www.bad.com, which calls DNS, the traffic then heads via the switch up to the firewall, which will make a WCCP call to the WSA, and the permitted traffic will be passed up, and the denied traffic will get replaced with a denied message.
I can already get to the sites (see: https://www.802101.com/ccie-security-lab-access-to-www-server/):
WSA initial setup
Setup is very straight-forward, just head onto the System Administration menu and select the wizard:
Here we can change the hostname:
WSA WCCP Service setup
We want it to be WCCP though, so click Edit and set it to WCCP:
I am using a service ID of 100 (just because it’s a nice round number), and tell the WSA that we are interested in ports 80, 443 and 12345:
ASA WCCP Service setup
no ssl encryption des-sha1 ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
This allowed the PC to get to the page and download ASDM. After AGES (getting updated software), ASDM loaded.
We need two ACLs. One which contains a list of our WCCP servers (the WSA), and one to list the hosts, or networks we want to redirect through the WSA:
LON-FW1(config)# access-list wccp-clients extended permit ip host 192.168.90.200 any LON-FW1(config)# access-list wccp-clients extended permit ip host 10.1.4.202 any LON-FW1(config)# end LON-FW1# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside->in; 2 elements; name hash: 0x307dc218 access-list outside->in line 1 extended permit ip any any (hitcnt=1783) 0xa1b5c89f access-list outside->in line 2 extended permit icmp any any (hitcnt=0) 0x6d9415b4 access-list wccp-servers; 1 elements; name hash: 0x7b83fa88 access-list wccp-servers line 1 extended permit ip host 10.1.4.203 any (hitcnt=0) 0x9d0812bf access-list wccp-clients; 2 elements; name hash: 0x94033d9d access-list wccp-clients line 1 extended permit ip host 192.168.90.200 any (hitcnt=0) 0x48cd6322 access-list wccp-clients line 2 extended permit ip host 10.1.4.202 any (hitcnt=0) 0xd2ff1466 LON-FW1#
Let’s switch over to the GUI and set up WCCP:
At first there was no communication between the ASA and the WSA, but this was due to the password mismatch (see Total Authentication failures below) – so keep it under 7 characters!
LON-FW1# sh wccp Global WCCP information: Router information: Router Identifier: -not yet determined- Protocol Version: 2.0 Service Identifier: 100 Number of Cache Engines: 0 Number of routers: 0 Total Packets Redirected: 0 Redirect access-list: wccp-clients Total Connections Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: wccp-servers Total Messages Denied to Group: 0 Total Authentication failures: 4 Total Bypassed Packets Received: 0 LON-FW1#
Once this was corrected, things looked might better:
LON-FW1# sh wccp Global WCCP information: Router information: Router Identifier: 126.96.36.199 Protocol Version: 2.0 Service Identifier: 100 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 0 Redirect access-list: wccp-clients Total Connections Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: wccp-servers Total Messages Denied to Group: 0 Total Authentication failures: 4 Total Bypassed Packets Received: 0 LON-FW1#
Our WSA is taking the traffic:
The next step is to block www.bad.com, which we will do through a custom URL category:
Click on Add:
Pop in the details and click on Submit. Click on Commit Changes on the next page.
We then need to set up an access policy, and place it above the existing default policy:
The WSA is a bit particular about naming the policy, so keep it simple, and set the URL filtering to the one set up a moment ago:
Our new policy should go at the top:
At this point, www.bad.com is set to “monitor”, so let’s change that, by clicking on Monitor under the URL filtering, and changing it from this:
Click submit, then commit the changes.
Let’s kick it up a notch and ONLY have Bob denied this page.
We need to create an identity for Bob, which will be done via his IP address:
Commit that bad boy!
Head back over to the Security Policies, and change the Restrict Bad policy to have just the Bob identity:
The policy member definition then changes:
Commit changes and test.
We can see the results here:
From the bottom up, we can see that initially both the MGMT-PC (192.168.90.200) and Bob (10.1.4.202) has access to the www.bad.com website. We added the URL category, which has a default of Monitor, and then we changed it and both then got blocked. From the last step, the MGMT-PC could access it, but Bob could not.
A resounding success!
It’s flawed though. What if Bob changes his IP address? He’s a sneaky f*cker like that! Well, we could add authentication instead.
This is an option under “Network”:
However, my WSA is not even in same time zone as AD, it’s not even in the same year (because of the license). So we can’t go down this route.
We’ll just have to hope that Bob behaves.
But that is the WSA folks, a quick and dirty look through. It’s not overly hard to set up, and this was all done within a couple of hours with just a bit of help from Google. Before we close this post off, here are the full ASA commands (a whopping 5 lines):
LON-FW1# sh run | i wccp access-list wccp-servers extended permit ip host 10.1.4.203 any access-list wccp-clients extended permit ip host 192.168.90.200 any access-list wccp-clients extended permit ip host 10.1.4.202 any wccp 100 redirect-list wccp-clients group-list wccp-servers password ***** wccp interface inside 100 redirect in LON-FW1#