Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5520 and Proxy server

Hi All,

Is there such a thing as redirecting certain ports (for example, port 80) from ASA to a certain IP address that is a proxy server? What I am trying to do is to implement a transparent proxy server in our internal network. The flow is in a such a way that nothing internally change until outbound TCP 80 hits the firewall, then got redirected to the proxy server and go out. Not sure if ASA can do that? If not, how do one go about to implement a transparent proxy server while the firewall is ASA? (hardcode proxy server info on users browsers is not something I want to do for lots of other reasons).

Any help/advice is appreciated.

3 REPLIES
Silver

Re: ASA5520 and Proxy server

I've been trying to get this scenario to

work with Pix and squid proxy server since

Pix OS version 6.2. To my knowledge, it is

NOT possible.

Other firewall vendors such as checkpoint

supports transparent proxy. If your firewall

is a freeware, linux iptables is perfectly

suitable for this.

The other alternative solution is that you

do NOT have to hardcode proxy server info

into users browsers. If you use Microsft

ISA proxy server, you can use Web Proxy

Auto Discovery (WPAD) that will make ALL

web traffics to hit the ISA server. There

is nothing to configure on the users

browsers.

Squid (proxy server on linux) also supports

WPAD as well, if I am not mistaken.

CCIE Security

New Member

Re: ASA5520 and Proxy server

Thank you. It never comes across my mind that PIX/ASA can't do that while I am doing that each and everyday via ipchains and iptables. In the past, in a PIX/ ASA environment using Websense or N2H2 (cisco supports these two vendors for redirection) I don't have to worry about it. ANd now, changing vendor (I am having a proxy not because I want one, the proxy is doing filtering) and I am stuck. WPAD won't work with the new proxy server. Hmmm...the last thing I can try is bridging.

Silver

Re: ASA5520 and Proxy server

May I ask what type of proxy you have in your

environment?

Most enterprise environment uses either:

1- MS ISA with load-balancer such as F5 BigIP

in front to load balance http/https traffics,

2- BlueCoat,

3- Squid Proxy (Most MSSPs will use this

because it's free),

Microsoft ISA and Bluecoat work with URL

filtering such as websense or N2H2 quite well.

To my knowledge, ISA and Bluecoat support

WPAD.

CCIE Security

631
Views
0
Helpful
3
Replies