25-8
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Default Settings
• When an interface to the Cloud Web Security proxy servers goes down, output from the show
scansafe server command shows both servers up for approximately 15-25 minutes. This condition
may occur because the polling mechanism is based on the active connection, and because that
interface is down, it shows zero connection, and it takes the longest poll time approach.
• Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX
action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX
action.
• Cloud Web Security inspection is compatibile with HTTP inspection for the same traffic. HTTP
inspection is enabled by default as part of the default global policy.
• Cloud Web Security is not supported with extended PAT or any application that can potentially use
the same source port and IP address for separate connections. For example, if two different
connections (targeted to separate servers) use extended PAT, the ASA might reuse the same source
IP and source port for both connection translations because they are differentiated by the separate
destinations. When the ASA redirects these connections to the Cloud Web Security server, it
replaces the destination with the Cloud Web Security server IP address and port (8080 by default).
As a result, both connections now appear to belong to the same flow (same source IP/port and
destination IP/port), and return traffic cannot be untranslated properly.
• The Default Inspection Traffic traffic class does not include the default ports for the Cloud Web
Security inspection (80 and 443).
Default Settings
By default, Cisco Cloud Web Security is not enabled.
Configuring Cisco Cloud Web Security
• Configuring Communication with the Cloud Web Security Proxy Server, page 25-8
• (Multiple Context Mode) Allowing Cloud Web Security Per Security Context, page 25-10
• Configuring a Service Policy to Send Traffic to Cloud Web Security, page 25-10
• (Optional) Configuring Whitelisted Traffic, page 25-23
• Configuring the Cloud Web Security Policy, page 25-26
Configuring Communication with the Cloud Web Security Proxy Server
Guidelines
The public key is embedded in the ASA software, so there is no need for you to configure it.