ASA transparent proxy feature - MessageLabs Proxy Service

Unanswered Question
May 27th, 2010


We have just installed a Cisco 5510 for one of our customers in place of a ClearPath firewall.  The problem is the old firewall had the capability of forwarding all Internal Web traffic to the MessageLabs external Web filtering service ( from the internal ISA server. The following commands on the ClearPath achieved this functionality:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

1) cache_peer parent 3128 0 no-query

2) iptables -t nat -I LAN_dnat -p tcp --dport www -s -j REDIRECT --to-port 8080

FYI - 1.10 is the internal ISA server.

My understanding of how this works is that the old firewall had transparent proxy capabilty and redirects all Internal Web traffic to MessageLabs on port 3128. This means port 80 can be blocked on the firewall.

Can anyone out there confirm whether or not the ASA has the same capabilty or suggest a workaround?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
russ Thu, 05/27/2010 - 03:13

Hi Federico

Thanks for the reply,

I think configuring Websense server or Smart Filter server is not the same as a transparent proxy feature, also you have to specify an IP address rather than a URL for the servers.

The ISA server has integrated Websense to filter URLs which the Clearpath FW then redirects to MessageLabs for malicious content filtering.

russ Thu, 05/27/2010 - 03:32

Hi Federico

Thanks for the info, but the CSC only works with Trend and not MessageLabs, it would also be additional cost and using regular expressions is not a viable option. So it seems the ASA can not provide the same capability as some small cheap vendor firewall?

Federico Coto F... Thu, 05/27/2010 - 03:44


I'm sure the ASA does a lot of advanced functions not performed by cheap firewalls.

But you're correct, the ASA is not a URL filtering device. It can redirect URLs to a URL-filtering server or can use regex or CSC, but not in the same way you're describing.


russ Thu, 05/27/2010 - 03:52

Hi Federico

I agree, the customer is really happy with the ASA features, GUI etc its just a shame it can't support such a simple feature which could be a "show stopper". They were also planning to install a second ASA in place of the ClearPath at another site, which also needs to have this transparent proxy feature. Maybe its possible to request this feature from Cisco?

Federico Coto F... Thu, 05/27/2010 - 04:00

Sure. I'll agree 100% that's something that can be included in the ASAs in a future release.

I'm not aware as to why the ASA won't support it itself though.... perhaps somebody from Cisco can let us know...

I'll suggest to let your account manager know or open a TAC case.


russ Thu, 05/27/2010 - 04:08

Yeah, might try the AM option to request such a feature.

Thanks for all of your help with this.


adrian.lischka Wed, 06/30/2010 - 00:10

Hi together,

but i think you can configure the asa to forward http request to a proxy with the wccp feature.

But i do not have the possiblility at the moment to test it.



russ Wed, 06/30/2010 - 01:11

Hi Adrian

According to the documentation, the proxy server must be located on the inside of the ASA. In this case the Messagelabs proxy is external to the ASA and also doesn't support WCCP.

Messagelabs say users that have ASA can install a ML client agent on the ISA server or use proxy-chaining. Client machines can also use the proxy setting in their browsers to point to Messagelabs, however this of course requires additional work and time for the customer to implement, which was not necessary with their old firewall.


This Discussion