IronPort URL filter for remote office

Unanswered Question

Hello IronPort Expert,

I ran into a problem and hope someone can give me idea how to workaround on this.

Between the HQ ASA and remote office ASA, a vpn is setup but remote internet traffic does not get inspect by HQ IronPort. 
Is there a way to do this?  Here is the detail:

A layer 2 link between HQ and remote office for site to site vpn.  HQ and Remote ASA has a dedicate interface to setup this vpn on this layer 2 link.

VPN is working fine but when the remote internet traffic is browsing through HQ does not get inspect by IronPort.

HQ IronPort is configured as transparent.  The internet traffic from remote leave remote ASA and arrive to HQ ASA then immediately travel to the outside interface of HQ ASA for internet.  Can this internet traffic being redirect to IronPort before go out to internet? On HQ ASA has wccp setup with redirect to the inside interface, it was also added another wccp to redirect on the vpn interface of HQ ASA and when test, got response the web page cannot be display.  Here is the wccp setup on HQ ASA:
wccp 90 redirect-list IRONPORT_HTTP
wccp interface inside 90 redirect in
wccp interface toMTL 90 redirect in  -- removed for internet working (the toMTL interface is for vpn to remote office)

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
edadios Mon, 08/30/2010 - 03:25

Please go through this document.

Please note the first limitation :

The only topology that the adaptive security  appliance supports is when client and cache engine are behind the same  interface of the adaptive security appliance and the cache engine can  directly communicate with the client without going through the adaptive  security appliance.

I will suggest you discuss with your Cisco ASA Sales representative on having this limitation on the ASA be lobbied for future support.

If the traffic from remote network really needs to go through the WSA, you will need to do explicit forward of the client traffic through the vpn tunnel to the WSA on the headend for now.



Thanks again for your reponse.  You are correct about the limitation of the WSA on ASA.

HQ ASA has default route to next hop for internet traffic, when remote internet traffic arrives at HQ ASA

it immediately go to internet without go through WSA.  If all remote traffic (data and internet) go through WSA,

will WSA:

1. Route remote data traffic to internal network

2. and route remote internet traffic to outside interface of HQ ASA for internet after inspection?

The exisiting wccp setup on WSA using service ID 90 with router address as the inside ip address of HQ ASA.

I can setup another wccp for remote traffic with router address as the inside ip address of HQ ASA for testing.

Remote traffic --- SW --- ASA --- Layer2 Link ---- HQ ASA --- SW --- WSA



Let me know your thought.

Thank you.

edadios Thu, 09/02/2010 - 18:04

An option for you will be to configure the remote network traffic for explicit forward redirection for now.

This will mean either have the browser pointing to the WSA proxy, or configure for wpad/pac file. This will all depend on how the routing of the remote traffic is through the vpn.

The WSA follows the routing configured on it. The remote traffic will have to first reach the WSA to be proxied, then the WSA handles the forwarding of the proxied traffic. The client traffic reaching the WSA will depend on vpn routing.

I will suggest that you consult with your Cisco Ironport Sales/Systems Engineer for the best design for your scenario, as it is harder to work out, without the clear picture of what the vpn is and the routing of remote end traffic.

I hope this information helps you.



This Discussion