cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6654
Views
0
Helpful
6
Replies

ASA as an http proxy

davep
Level 1
Level 1

Does anyone know if the ASA can be configured to redirect ht

tp traffic to a Proxy Server?

Thank you,

Dave

6 Replies 6

August Ritchie
Level 1
Level 1

As far as redirecting HTTP traffic you can redirect using url-filtering or wccp. URL filtering seem more like what you are wanting. It works with the following:

  • Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

  • Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.

  • http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

    WCCP redirection is for sending traffic to a caching engine which is more used for speeding up connections via caching.

    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445

    August,

    Thank you for the response. Unfortunately, in this case it is a web filter like WebSense, but it is not one supported through the url-server command.

    And, it is not a cache engine either.

    Any other options?

    Thank you,

    Dave

    Unfortunately, these are the only ways I know of for an ASA to redirect HTTP.

    Some alternative none ASA ways would be to use a router before the ASA to do policy-based routing for all HTTP traffic to a different next hop (I.E. filtering server). The ASA doesn't support Policy Based Routing, thats why it is not an option on the ASA. Or to run the filter transparently inline between the ASA and inside (I don't know to much about this feature).

    August,

    Again, thank you for the reply. Your last option (transparent between the internal network and the ASA) was my recommendation. However, the filter box can only use 1 nic.

    Thank you,

    Dave

    Hmm what about the policy based routing option? Is their a router or L3 switch behind the ASA that could support policy based routing?

    Dave,

         If my memory serves me right, with the Websense platform you can go two ways...

    Option 1) PIX/ASA integration using the url-server keyword.

         As you noted, this option is out... So lets roll on to.....

    Option 2) Span session based redirect

         The other way Websense can work is by spanning your internet traffic to the monitorring port of the websense appliance. WHen configured as such, it watches the HTTP traffic similar to a promiscous IPS would. When it detects a web connection that should be blocked, it generates two RESET packets and sends one towards the HTTP client and one towrds the HTTP server. In this config you need to use the 'monitor session' keywords on an switch that the inside of the ASA connects to. You would then span that port (the one between the ASA inside interface and your switch) to the websense monitor port.

    Is option 2 what our are looking for?

    - Magnus

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: