ASA as an http proxy

Unanswered Question
August Ritchie Thu, 07/22/2010 - 12:39
User Badges:
  • Bronze, 100 points or more

As far as redirecting HTTP traffic you can redirect using url-filtering or wccp. URL filtering seem more like what you are wanting. It works with the following:

  • Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

  • Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.


    WCCP redirection is for sending traffic to a caching engine which is more used for speeding up connections via caching.

    August Ritchie Thu, 07/22/2010 - 12:52
    User Badges:
    • Bronze, 100 points or more

    Unfortunately, these are the only ways I know of for an ASA to redirect HTTP.

    Some alternative none ASA ways would be to use a router before the ASA to do policy-based routing for all HTTP traffic to a different next hop (I.E. filtering server). The ASA doesn't support Policy Based Routing, thats why it is not an option on the ASA. Or to run the filter transparently inline between the ASA and inside (I don't know to much about this feature).

    August Ritchie Thu, 07/22/2010 - 13:06
    User Badges:
    • Bronze, 100 points or more

    Hmm what about the policy based routing option? Is their a router or L3 switch behind the ASA that could support policy based routing?

    Magnus Mortensen Fri, 07/23/2010 - 20:24
    User Badges:
    • Cisco Employee,


         If my memory serves me right, with the Websense platform you can go two ways...

    Option 1) PIX/ASA integration using the url-server keyword.

         As you noted, this option is out... So lets roll on to.....

    Option 2) Span session based redirect

         The other way Websense can work is by spanning your internet traffic to the monitorring port of the websense appliance. WHen configured as such, it watches the HTTP traffic similar to a promiscous IPS would. When it detects a web connection that should be blocked, it generates two RESET packets and sends one towards the HTTP client and one towrds the HTTP server. In this config you need to use the 'monitor session' keywords on an switch that the inside of the ASA connects to. You would then span that port (the one between the ASA inside interface and your switch) to the websense monitor port.

    Is option 2 what our are looking for?

    - Magnus


    This Discussion