Posture over Anyconnect VPN with browser proxy

Neelesh Marathe · ‎06-24-2016

Team,

We are trying to implement anyconnect posture for users coming in via anyconnect VPN. The users have browser proxy configured which sends traffic via port 8080.

With default configuration ASA is not able to complete the TCP Handshake as expected since is it not able intercept traffic on port 8080. Any traffic which is exempted for proxy is redirected properly.

1. What changes would be required on the ASA so that ASA can intercept this http traffic on port 8080? On switch we make the below changes when browser proxy is involved.

ip http port 8080

ip port-map http port 8080

2. Also should we make any changes on Anyconnect Posture client so that posture discovery works fine with any change on the ASA ?

Thanks,

Neelesh Marathe

thomas · ‎06-24-2016

Have you tried looking at any of our How To / Design Guides @ ISE Design & Integration Guides ?

Specifically I would recommend How To: ISE and ASA Integration using CoA for Posture. That should step you through everything you need. Cisco employees and partners may also access our training lab including step-by-step lab guide under ISE Partner Training and specifically the AnyConnect Lab.

Neelesh Marathe · ‎07-03-2016

Hello Thomas,

Thanks for pointing out this information. I read all the documents but it does not include any configuration on ASA to intercept traffic at other http port E.g 8080 like we have in switch

ip http port 8080

ip port-map http port 8080

Thanks,

Neelesh Marathe

Neelesh Marathe · ‎07-03-2016

Hello Thomas,

I got some configuration example on ASA and I will try this in my lab but it will take some time

ASA(config)# fixup protocol http 8080

Then create class map and associate with group policy. Also do inspect http

class-map class_http

match port tcp eq 8080

thepapichulo · ‎12-09-2016

Hi Neelesh,

Did that worked for you? I'm currently running with the same issue. Thanks!