Using ASA 5510 as a proxy

Unanswered Question
Aug 25th, 2010

I am trying to use my 5510 to treat traffic from my lan to our mpls and to the internet in 2 different ways.  Traffic from lan to corporate resources should be unmolested, however the mpls is providing internet access via a proxy server that is managed by the ISP.  I want all this traffic scanned but not blocked.  I also want to be able to specify certain people that can use my public internet link which I want scanned and will be governed by a strict white\black list acl while undisturbing their path to the mpls corporate resources.  I am trying to figure out the best way to do this.  I know it will involve some combination route maps and static\default routes but I am not clear on the last 10% of how to accomplish this.  I have a 6500 series switch behind the asa that I hope to accomplish the routing with.  Any ideas \ guidance would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 08/26/2010 - 04:31

I am assuming that both corporate resources and Internet connection goes through the ISP MPLS network.

"Traffic from lan to corporate resources should be unscanned/blocked" --> check with your ISP whether they are scanning internal traffic ie: traffic between LAN to corporate resources, OR/ they are only scanning if traffic is leaving for the Internet.

" I want all this traffic scanned but not blocked." --> this really depends on what your ISP proxy server is doing, are they doing scanning only or scanning plus web filtering?

" I also want to be able to specify certain people that can use my public  internet link which I want scanned and will be governed by a strict  white\black list acl" --> again, this really depends on what is configured on your ISP proxy server.

"while undisturbing their path to the mpls corporate resources" --> how do you determine what proxy server to use? through PAC file, or transparently through your ISP proxy server. I would confirm with ISP whether they are doing proxy inspection for corparate resources traffic as well as internet traffic.

I don't think route-maps/static will work, if both corporate resources and Internet is through 1 MPLS link. The differentiation would be within the MPLS network itself, which I believe is managed by your ISP, right?

mscha2000 Thu, 08/26/2010 - 14:59


Thanks so much for your input. I think you misunderstood slightly or I

missed something in my explanation. You are correct that internet (through

ISP proxy) and access to corporate resources is over the same mpls link.

They do not do any scanning on the non http traffic and the http traffic is

only scanned if the proxy pac is applied to the browser. They are using web

filtering and some scanning that is not stateful here.

Separate from this mpls link is a link that I purchased through a

different provider that is not going through the MPLS and has nothing to do

with it. What I'm really trying to accomplish is to 1.Add the capability to

scan\monitor and report what is destined for the MPLS(corporate or internet)

2. Provide access selectively to the public internet as an alternative way

to connect to the public. I do not have any proxy server setup on this

public access (that is partially what I am trying to figure out.. do I need

one etc...)

Is that more clear?

Thanks so much for your help,

On Thu, Aug 26, 2010 at 7:31 AM, halijenn <

Jennifer Halim Sun, 08/29/2010 - 06:05

1) I don't understand how you are going to extend the proxy/scanning functionality if your ISP is the one who manages the proxy functionality. Unless you have access to the proxy portal, I don't think you can have any extra functionality/feature.

2) Once you have configured the browser to use a PAC file for HTTP/HTTPS traffic, all web traffic will be routed towards that particular proxy server which will then use your MPLS link. If you have other public connection and you only want scanning to be done by your first ISP via MPLS then route the traffic back towards another public link, I don't think it is possible (even if it's possible, your first ISP wouldn't want to scan traffic which is not destined towards their network to go through their network just for scanning).

If you would like to scan web traffic destined for another public internet, then you would need to request the same type of service (proxy server) through your second ISP/public internet. Or alternatively, you can purchase/manage proxy server yourself (ie: for Cisco product: Ironport for an appliance service, or ScanSafe for cloud service).

mscha2000 Mon, 08/30/2010 - 13:41

In my attachment, I'm not sure if you can see it or not.  It illustrates the separation of the MPLS and the public internet.  This is actually a rather standard configuration that I know many companies are already implementing. 

     Traffic to the MPLS takes the default route, traffic to the mpls with the ISP proxy applied also goes through the default route.

     Traffic that I want to use the public internet will have to be either directed via static route or route map. 

     I want to scan traffic into and out of my lan coming from both public internet and mpls regardless of what they are doing because I have no real insight into what they are doing.  My company is part of a large conglomerate that has global rules that we must follow.  I have no visibility into the traffic passing to the mpls other than netflow on the MPLS router interface that is facing my lan.

I am just trying to figure out how to scan all traffic that traverses the firewall and how to provide a secondary public internet access selectively.


This Discussion