cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
709
Views
0
Helpful
8
Replies

Forward Web Traffice from PIX to outside Proxy

Matt.Fields
Level 1
Level 1

I am working with a web filtering service company that provides web filtering as a service in a cloud. I can forward web traffic to them via the normal proxy setting in my browser, but I want to be able to do it on firewall level as well, in case a user did not get the browser policy update.

Is there a way to forward all web traffic (http, https) coming from behind the firewall (nat users) to an outside address?

I tried the command:

static (inside,outside) tcp interface www <outside ip> www netmask 255.255.255.255

...but that did not work.

Any help would be appreciated.

8 Replies 8

cleidh_mor
Level 1
Level 1

You want the filter command:

url-server (outside) host

filter url 80 0 0 0 0

filter https 443 0 0 0 0

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1761451

HTH

Will this work with PIX version 6.3 as well?

I think he is wrong. I assume this is what

you're trying to accomplish:

1- There is web proxy like BlueCoat or Squid

on the Internet that you want Users on your

network to connect it. Users on your network

get the setting through WPAD or something like

that.

2- The BlueCoat or Squid Proxy will intercept

Web traffics on your network, check URL and

content filtering, Antivirus, etc. If

everything is fine, users on your network can

access the site.

Are my assumption correct?

The example he gave you is that the Pix will

do the URL filtering with a 3rd parties apps

like Websense or N2H2. It can not do what

you described.

What you're trying to accomplish can be done

with WPAD.

I am trying to just redirect all http and https traffic to a proxy that is outside my network (the provider). Once it gets to the provider, it will keep on going out through them and the response will come back through them and to me.

In that case, it is very simple:

no static (inside,outside) tcp interface www www netmask 255.255.255.255

nat (inside) 1 0 0

global (outside) 1 interface

access-list Internal permit icmp any any log

access-list Internal permit tcp any host Proxy_Server eq 3128 log

access-list Internal deny ip any any log

access-list External permit icmp any any log

access-list External deny any any log

access-group Internal in interface inside

access-group External in interface outside

The question is how does the users' browser

get update? WPAD or what?

I not really sure what you mean when you say "how does the users' browser get update"

And I am not sure what WPAD is either.

"in case a user did not get the browser policy update."

How does users' browser get policy update such

as proxy settings?

I can push proxy setting changes down via AD Group Policies, but I don't want to depend on that. For instance, if a rouge PC plugs into our network, and they are not able to get the browser proxy policy via AD (since they are not on our domain), I would like them to be proxied via the Firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: