Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA transparent proxy feature - MessageLabs Proxy Service

Hi

We have just installed a Cisco 5510 for one of our customers in place of a ClearPath firewall.  The problem is the old firewall had the capability of forwarding all Internal Web traffic to the MessageLabs external Web filtering service (proxy1.eu.webscanningservice.com) from the internal ISA server. The following commands on the ClearPath achieved this functionality:

1) cache_peer proxy1.eu.webscanningservice.com parent 3128 0 no-query

2) iptables -t nat -I LAN_dnat -p tcp --dport www -s 192.168.1.10 -j REDIRECT --to-port 8080

FYI - 1.10 is the internal ISA server.

My understanding of how this works is that the old firewall had transparent proxy capabilty and redirects all Internal Web traffic to MessageLabs on port 3128. This means port 80 can be blocked on the firewall.

Can anyone out there confirm whether or not the ASA has the same capabilty or suggest a workaround?

Thanks!

11 REPLIES

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi,

The ASA can be configured to redirect HTTP, HTTPS and FTP traffic to an external URL filtering server.

This URL server should be either a websense or smart filter server.

Check this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692

Hope it helps.

Federico.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi Federico

Thanks for the reply,

I think configuring Websense server or Smart Filter server is not the same as a transparent proxy feature, also you have to specify an IP address rather than a URL for the servers.

The ISA server has integrated Websense to filter URLs which the Clearpath FW then redirects to MessageLabs for malicious content filtering.

Re: ASA transparent proxy feature - MessageLabs Proxy Service

You're right.

However the ASA can make use of a third-party URL-filtering server to accomplish this.

The other solutions are using regular expressions:

https://supportforums.cisco.com/docs/DOC-1268

Or having a CSC module on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/csc.html

Federico.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi Federico

Thanks for the info, but the CSC only works with Trend and not MessageLabs, it would also be additional cost and using regular expressions is not a viable option. So it seems the ASA can not provide the same capability as some small cheap vendor firewall?

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Russ,

I'm sure the ASA does a lot of advanced functions not performed by cheap firewalls.

But you're correct, the ASA is not a URL filtering device. It can redirect URLs to a URL-filtering server or can use regex or CSC, but not in the same way you're describing.

Federico.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi Federico

I agree, the customer is really happy with the ASA features, GUI etc its just a shame it can't support such a simple feature which could be a "show stopper". They were also planning to install a second ASA in place of the ClearPath at another site, which also needs to have this transparent proxy feature. Maybe its possible to request this feature from Cisco?

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Sure. I'll agree 100% that's something that can be included in the ASAs in a future release.

I'm not aware as to why the ASA won't support it itself though.... perhaps somebody from Cisco can let us know...

I'll suggest to let your account manager know or open a TAC case.

Federico.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Yeah, might try the AM option to request such a feature.

Thanks for all of your help with this.

Russ.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi together,

but i think you can configure the asa to forward http request to a proxy with the wccp feature.

But i do not have the possiblility at the moment to test it.

Regards,

Adrian

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi Adrian

According to the documentation, the proxy server must be located on the inside of the ASA. In this case the Messagelabs proxy is external to the ASA and also doesn't support WCCP.

Messagelabs say users that have ASA can install a ML client agent on the ISA server or use proxy-chaining. Client machines can also use the proxy setting in their browsers to point to Messagelabs, however this of course requires additional work and time for the customer to implement, which was not necessary with their old firewall.

New Member

Re: ASA transparent proxy feature - MessageLabs Proxy Service

Hi Russ,

your right, I read this after I have posted my comment

Regards,

Adrian

7345
Views
15
Helpful
11
Replies
CreatePlease to create content