cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9372
Views
15
Helpful
11
Replies

ASA transparent proxy feature - MessageLabs Proxy Service

russ
Level 1
Level 1

Hi

We have just installed a Cisco 5510 for one of our customers in place of a ClearPath firewall.  The problem is the old firewall had the capability of forwarding all Internal Web traffic to the MessageLabs external Web filtering service (proxy1.eu.webscanningservice.com) from the internal ISA server. The following commands on the ClearPath achieved this functionality:

1) cache_peer proxy1.eu.webscanningservice.com parent 3128 0 no-query

2) iptables -t nat -I LAN_dnat -p tcp --dport www -s 192.168.1.10 -j REDIRECT --to-port 8080

FYI - 1.10 is the internal ISA server.

My understanding of how this works is that the old firewall had transparent proxy capabilty and redirects all Internal Web traffic to MessageLabs on port 3128. This means port 80 can be blocked on the firewall.

Can anyone out there confirm whether or not the ASA has the same capabilty or suggest a workaround?

Thanks!

11 Replies 11

Hi,

The ASA can be configured to redirect HTTP, HTTPS and FTP traffic to an external URL filtering server.

This URL server should be either a websense or smart filter server.

Check this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692

Hope it helps.

Federico.

Hi Federico

Thanks for the reply,

I think configuring Websense server or Smart Filter server is not the same as a transparent proxy feature, also you have to specify an IP address rather than a URL for the servers.

The ISA server has integrated Websense to filter URLs which the Clearpath FW then redirects to MessageLabs for malicious content filtering.

You're right.

However the ASA can make use of a third-party URL-filtering server to accomplish this.

The other solutions are using regular expressions:

https://supportforums.cisco.com/docs/DOC-1268

Or having a CSC module on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/csc.html

Federico.

Hi Federico

Thanks for the info, but the CSC only works with Trend and not MessageLabs, it would also be additional cost and using regular expressions is not a viable option. So it seems the ASA can not provide the same capability as some small cheap vendor firewall?

Russ,

I'm sure the ASA does a lot of advanced functions not performed by cheap firewalls.

But you're correct, the ASA is not a URL filtering device. It can redirect URLs to a URL-filtering server or can use regex or CSC, but not in the same way you're describing.

Federico.

Hi Federico

I agree, the customer is really happy with the ASA features, GUI etc its just a shame it can't support such a simple feature which could be a "show stopper". They were also planning to install a second ASA in place of the ClearPath at another site, which also needs to have this transparent proxy feature. Maybe its possible to request this feature from Cisco?

Sure. I'll agree 100% that's something that can be included in the ASAs in a future release.

I'm not aware as to why the ASA won't support it itself though.... perhaps somebody from Cisco can let us know...

I'll suggest to let your account manager know or open a TAC case.

Federico.

Yeah, might try the AM option to request such a feature.

Thanks for all of your help with this.

Russ.

Hi together,

but i think you can configure the asa to forward http request to a proxy with the wccp feature.

But i do not have the possiblility at the moment to test it.

Regards,

Adrian

Hi Adrian

According to the documentation, the proxy server must be located on the inside of the ASA. In this case the Messagelabs proxy is external to the ASA and also doesn't support WCCP.

Messagelabs say users that have ASA can install a ML client agent on the ISA server or use proxy-chaining. Client machines can also use the proxy setting in their browsers to point to Messagelabs, however this of course requires additional work and time for the customer to implement, which was not necessary with their old firewall.

Hi Russ,

your right, I read this after I have posted my comment

Regards,

Adrian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: