Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA CX remote proxy with local Internet traffic to go out


I am designing site-to-site VPN with ASAs 5512-X. The main site will have ASA with CX web and apps filtering and AD based users authenticating and the ASA CX. The remote site users are AD based users as well and talking to AD server in the main site over VPN.

What I want to achieve is that remote AD users are web filtered on the ASA CX in the main site (the remote site ASA CX will not have the license) but the Internet traffic will go out locally on the remote site - without the whole traffic flowing between the sites back and forward but only CX authentication for web and apps security. Is that possible at all?

I know you can easily achieve remote site CX authentication with the Internet traffic going out on the main site. The scenario with the remote site traffic going first to the main site (over VPN), coming back to the remote site and coming out of the local Internet connection on the remote site does not make much sense but it would be very interesting if on the remote site I could do remote proxy for authentication (ASA CX main site) but the Internet traffic would not cross the VPN but would be locally routed.

In case this is possible with ASA in the remote site would it also be possible with a router in the remote site?

Please advise Marvin and hopefully you can get back to me very soon.

Best regards,


CreatePlease to create content