ā07-03-2010 11:47 PM - edited ā03-11-2019 11:07 AM
Dear All,
I have an ASA 5520 with inside, outside, and DMZ interfaces. I want to install a proxy server in DMZ and have all my inside hosts go to the proxy first, before accessing the internet. If I don't want to configure a proxy-server address on each of my internal hosts, is there a way to configure port redirection on the ASA to automaticaly send all outbound internet traffic to the proxy server?
Thanks
Solved! Go to Solution.
ā07-04-2010 01:38 AM
As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.
WCCP only supports traffic being redirected through the same interface.
As per the following:
WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
quoted from:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628
ā07-04-2010 12:10 AM
ASA only supports N2H2 or Websense to perform URL filtering via the ASA itself, without having to configure proxy server settings on the inside hosts.
Alternatively, if the proxy server supports WCCP, that also works with ASA, however, proxy server needs to be connected to the inside interface as well where the internal hosts are connected. Proxy server can't be connected to the DMZ while the traffic is from inside.
Hope that helps.
ā07-04-2010 12:21 AM
Hi,
The proxy is actually ISA and we will install it in DMZ as one leg design. If there is no option to redirect web traffic to ISA then we have last option of using proxy ip address in web browsers ?
Thanks
ā07-04-2010 12:23 AM
Unfortunately there is no other option on ASA but to configure the proxy ip address on the web browser.
ā07-04-2010 12:49 AM
Hi,
Thanks for your response.
What about using WCCP,
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html
Thanks
ā07-04-2010 01:38 AM
As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.
WCCP only supports traffic being redirected through the same interface.
As per the following:
WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
quoted from:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: