07-22-2010 12:32 PM - edited 03-11-2019 11:15 AM
Does anyone know if the ASA can be configured to redirect ht
tp traffic to a Proxy Server?
Thank you,
Dave
07-22-2010 12:39 PM
As far as redirecting HTTP traffic you can redirect using url-filtering or wccp. URL filtering seem more like what you are wanting. It works with the following:
Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.
Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
WCCP redirection is for sending traffic to a caching engine which is more used for speeding up connections via caching.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445
07-22-2010 12:44 PM
August,
Thank you for the response. Unfortunately, in this case it is a web filter like WebSense, but it is not one supported through the url-server command.
And, it is not a cache engine either.
Any other options?
Thank you,
Dave
07-22-2010 12:52 PM
Unfortunately, these are the only ways I know of for an ASA to redirect HTTP.
Some alternative none ASA ways would be to use a router before the ASA to do policy-based routing for all HTTP traffic to a different next hop (I.E. filtering server). The ASA doesn't support Policy Based Routing, thats why it is not an option on the ASA. Or to run the filter transparently inline between the ASA and inside (I don't know to much about this feature).
07-22-2010 01:00 PM
August,
Again, thank you for the reply. Your last option (transparent between the internal network and the ASA) was my recommendation. However, the filter box can only use 1 nic.
Thank you,
Dave
07-22-2010 01:06 PM
Hmm what about the policy based routing option? Is their a router or L3 switch behind the ASA that could support policy based routing?
07-23-2010 08:24 PM
Dave,
If my memory serves me right, with the Websense platform you can go two ways...
Option 1) PIX/ASA integration using the url-server keyword.
As you noted, this option is out... So lets roll on to.....
Option 2) Span session based redirect
The other way Websense can work is by spanning your internet traffic to the monitorring port of the websense appliance. WHen configured as such, it watches the HTTP traffic similar to a promiscous IPS would. When it detects a web connection that should be blocked, it generates two RESET packets and sends one towards the HTTP client and one towrds the HTTP server. In this config you need to use the 'monitor session' keywords on an switch that the inside of the ASA connects to. You would then span that port (the one between the ASA inside interface and your switch) to the websense monitor port.
Is option 2 what our are looking for?
- Magnus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide