Cisco Systems and the ASA Services Module Manual De Usuario

hostname(cfg-scansafe)# server primary ip 192.168.115.225 web 8080

hostname(cfg-scansafe)# retry-count 5

hostname(cfg-scansafe)# license 366C1D3F5CE67D33D3E9ACEC265261E5

The following example enables Cloud Web Security in context one with the default license and in context 
two with the authentication key override:

! System Context

!

ciscoasa(config)#scansafe general-options

ciscoasa(cfg-scansafe)#server primary ip 180.24.0.62 port 8080

ciscoasa(cfg-scansafe)#retry-count 5

ciscoasa(cfg-scansafe)#license FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 

ciscoasa(cfg-scansafe)#publickey <path to public key>

!

context one

 allocate-interface GigabitEthernet0/0.1

 allocate-interface GigabitEthernet0/1.1

 allocate-interface GigabitEthernet0/3.1

 scansafe

 config-url disk0:/one_ctx.cfg

!

context two

 allocate-interface GigabitEthernet0/0.2

 allocate-interface GigabitEthernet0/1.2

 allocate-interface GigabitEthernet0/3.2

 scansafe license 366C1D3F5CE67D33D3E9ACEC265261E5

!

config-url disk0:/two_ctx.cfg

!

Configure what access-list traffic should be sent to Cloud Web Security:

access-list 101 extended permit tcp any4 any4 eq www 

access-list 102 extended permit tcp any4 any4 eq https 

class-map web

 match access-list 101

class-map https

 match access-list 102

To configure the whitelist to ensure user1 is in this access-list range to bypass Cloud Web Security:

class-map type inspect scansafe match-any whiteListCmap

 match user LOCAL\user1

To attach class-maps to the Cloud Web Security Policy map:

policy-map type inspect scansafe ss

 parameters

  default user user1 group group1

  http

 class whiteListCmap

  whitelist

policy-map type inspect scansafe ss2