Cisco Cisco Web Security Appliance S670 技术手册
Create an identity for FTP traffic. In the GUI, choose Web Security Manager > Identities
and ensure that authentication has been disabled for this ID.
and ensure that authentication has been disabled for this ID.
1.
Create an access policy. In the GUI, choose Web Security Manager > Access
Policies, which references the identity in step 1.
Policies, which references the identity in step 1.
2.
Under FTP proxy settings, modify the FTP Passive ports to be 11000-11006 in order to
ensure that all ports fit into a single service group.
ensure that all ports fit into a single service group.
3.
Create these WCCP Service IDs:
Name Service Ports
web-cache 0 80 (alternatively, you can use 98 custom-web-cache if you use
multiple WSAs)
ftp-native 60 21,11000,11001,11002,11003,11004,11005,11006
https-cache 70 443
web-cache 0 80 (alternatively, you can use 98 custom-web-cache if you use
multiple WSAs)
ftp-native 60 21,11000,11001,11002,11003,11004,11005,11006
https-cache 70 443
4.
These examples redirect three internal subnets while they bypass WCCP redirection for all
privately addressed destinations as well as a single internal host.
privately addressed destinations as well as a single internal host.
Sample ASA Configuration
wccp web-cache redirect-list web-cache group-list group_acl
wccp 60 redirect-list ftp-native group-list group_acl
wccp 70 redirect-list https-cache group-list group_acl
wccp interface inside web-cache redirect in
wccp interface inside 60 redirect in
wccp interface inside 70 redirect in
access-list group_acl extended permit ip host 10.1.1.160 any
access-list ftp-native extended deny ip any 10.0.0.0 255.0.0.0
access-list ftp-native extended deny ip any 172.16.0.0 255.240.0.0
access-list ftp-native extended deny ip any 192.168.0.0 255.255.0.0
access-list ftp-native extended deny ip host 192.168.42.120 any
access-list ftp-native extended permit tcp 192.168.42.0 255.255.255.0 any eq ftp
access-list ftp-native extended permit tcp 192.168.42.0 255.255.255.0 any range 11000
11006
access-list ftp-native extended permit tcp 192.168.99.0 255.255.255.0 any eq ftp
access-list ftp-native extended permit tcp 192.168.99.0 255.255.255.0 any range 11000
11006
access-list ftp-native extended permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list ftp-native extended permit tcp 192.168.100.0 255.255.255.0 any range 11000
11006
access-list https-cache extended deny ip any 10.0.0.0 255.0.0.0
access-list https-cache extended deny ip any 172.16.0.0 255.240.0.0
access-list https-cache extended deny ip any 192.168.0.0 255.255.0.0
access-list https-cache extended deny ip host 192.168.42.120 any
access-list https-cache extended permit tcp 192.168.42.0 255.255.255.0 any eq https
access-list https-cache extended permit tcp 192.168.99.0 255.255.255.0 any eq https
access-list https-cache extended permit tcp 192.168.100.0 255.255.255.0 any eq https
access-list web-cache extended deny ip any 10.0.0.0 255.0.0.0
access-list web-cache extended deny ip any 172.16.0.0 255.240.0.0
access-list web-cache extended deny ip any 192.168.0.0 255.255.0.0
access-list web-cache extended deny ip host 192.168.42.120 any
access-list web-cache extended permit tcp 192.168.42.0 255.255.255.0 any eq www
access-list web-cache extended permit tcp 192.168.99.0 255.255.255.0 any eq www
access-list web-cache extended permit tcp 192.168.100.0 255.255.255.0 any eq www