Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1584
Views
0
Helpful
5
Replies

Proxy Server in DMZ

Go to solution
rmujeeb81
Level 1
Level 1

ā€Ž07-03-2010 11:47 PM - edited ā€Ž03-11-2019 11:07 AM

Dear All,

I have an ASA 5520 with inside, outside, and DMZ interfaces. I want to install a proxy server in  DMZ and have all my inside hosts go to the proxy first, before accessing the internet. If I don't want to configure a proxy-server address on each of my internal hosts, is there a way to configure port redirection on the ASA to automaticaly send all outbound internet traffic to the proxy server?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rmujeeb81

ā€Ž07-04-2010 01:38 AM

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.

As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž07-04-2010 12:10 AM

ASA only supports N2H2 or Websense to perform URL filtering via the ASA itself, without having to configure proxy server settings on the inside hosts.

Alternatively, if the proxy server supports WCCP, that also works with ASA, however, proxy server needs to be connected to the inside interface as well where the internal hosts are connected. Proxy server can't be connected to the DMZ while the traffic is from inside.

Hope that helps.

0 Helpful

Go to solution
rmujeeb81
Level 1
Level 1
In response to Jennifer Halim

ā€Ž07-04-2010 12:21 AM

Hi,

The proxy is actually ISA and we will install it in DMZ as one leg design. If there is no option to redirect web traffic to ISA then we have last option of using proxy ip address in web browsers ?

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rmujeeb81

ā€Ž07-04-2010 12:23 AM

Unfortunately there is no other option on ASA but to configure the proxy ip address on the web browser.

0 Helpful

Go to solution
rmujeeb81
Level 1
Level 1
In response to Jennifer Halim

ā€Ž07-04-2010 12:49 AM

Hi,

Thanks for your response.

What about using WCCP,

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rmujeeb81

ā€Ž07-04-2010 01:38 AM

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.

As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card