Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
We have just installed a Cisco 5510 for one of our customers in place of a ClearPath firewall. The problem is the old firewall had the capability of forwarding all Internal Web traffic to the MessageLabs external Web filtering service (proxy1.eu.webscanningservice.com) from the internal ISA server. The following commands on the ClearPath achieved this functionality:
1) cache_peer proxy1.eu.webscanningservice.com parent 3128 0 no-query
2) iptables -t nat -I LAN_dnat -p tcp --dport www -s 192.168.1.10 -j REDIRECT --to-port 8080
FYI - 1.10 is the internal ISA server.
My understanding of how this works is that the old firewall had transparent proxy capabilty and redirects all Internal Web traffic to MessageLabs on port 3128. This means port 80 can be blocked on the firewall.
Can anyone out there confirm whether or not the ASA has the same capabilty or suggest a workaround?
The ASA can be configured to redirect HTTP, HTTPS and FTP traffic to an external URL filtering server.
This URL server should be either a websense or smart filter server.
Check this link:
Hope it helps.
Thanks for the reply,
I think configuring Websense server or Smart Filter server is not the same as a transparent proxy feature, also you have to specify an IP address rather than a URL for the servers.
The ISA server has integrated Websense to filter URLs which the Clearpath FW then redirects to MessageLabs for malicious content filtering.
However the ASA can make use of a third-party URL-filtering server to accomplish this.
The other solutions are using regular expressions:
Or having a CSC module on the ASA:
Thanks for the info, but the CSC only works with Trend and not MessageLabs, it would also be additional cost and using regular expressions is not a viable option. So it seems the ASA can not provide the same capability as some small cheap vendor firewall?
I'm sure the ASA does a lot of advanced functions not performed by cheap firewalls.
But you're correct, the ASA is not a URL filtering device. It can redirect URLs to a URL-filtering server or can use regex or CSC, but not in the same way you're describing.
I agree, the customer is really happy with the ASA features, GUI etc its just a shame it can't support such a simple feature which could be a "show stopper". They were also planning to install a second ASA in place of the ClearPath at another site, which also needs to have this transparent proxy feature. Maybe its possible to request this feature from Cisco?
Sure. I'll agree 100% that's something that can be included in the ASAs in a future release.
I'm not aware as to why the ASA won't support it itself though.... perhaps somebody from Cisco can let us know...
I'll suggest to let your account manager know or open a TAC case.
but i think you can configure the asa to forward http request to a proxy with the wccp feature.
But i do not have the possiblility at the moment to test it.
According to the documentation, the proxy server must be located on the inside of the ASA. In this case the Messagelabs proxy is external to the ASA and also doesn't support WCCP.
Messagelabs say users that have ASA can install a ML client agent on the ISA server or use proxy-chaining. Client machines can also use the proxy setting in their browsers to point to Messagelabs, however this of course requires additional work and time for the customer to implement, which was not necessary with their old firewall.