25-7
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Prerequisites for Cloud Web Security
On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify
the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication
keys.
Prerequisites for Cloud Web Security
(Optional) User Authentication Prerequisites
To send user identity information to Cloud Web Security, configure one of the following on the ASA:
• AAA rules (username only)—See Chapter 8, “Configuring AAA Rules for Network Access.”
• IDFW (username and group)—See Chapter 38, “Configuring the Identity Firewall,” in the general
operations configuration guide.
(Optional) Fully Qualified Domain Name Prerequisites
If you use FQDNs in ACLs for your service policy rule, or for the Cloud Web Security server, you must
configure a DNS server for the ASA according to the “Configuring the DNS Server” section on
page 16-8 in the general operations configuration guide.
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context modes.
In multiple context mode, the server configuration is allowed only in the system, and the service policy
rule configuration is allowed only in the security contexts.
Each context can have its own authentication key, if desired.
Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.
IPv6 Guidelines
Does not support IPv6. See the “IPv4 and IPv6 Support” section on page 25-6.
Additional Guidelines
• Cloud Web Security is not supported with ASA clustering.
• Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL
VPN traffic from the ASA service policy for Cloud Web Security.
Model License Requirement
All models Strong Encryption (3DES/AES) License to encrypt traffic between the security appliance and the
Cloud Web Security server.