Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Forward Web Traffice from PIX to outside Proxy

I am working with a web filtering service company that provides web filtering as a service in a cloud. I can forward web traffic to them via the normal proxy setting in my browser, but I want to be able to do it on firewall level as well, in case a user did not get the browser policy update.

Is there a way to forward all web traffic (http, https) coming from behind the firewall (nat users) to an outside address?

I tried the command:

static (inside,outside) tcp interface www <outside ip> www netmask 255.255.255.255

...but that did not work.

Any help would be appreciated.

8 REPLIES
New Member

Re: Forward Web Traffice from PIX to outside Proxy

You want the filter command:

url-server (outside) host

filter url 80 0 0 0 0

filter https 443 0 0 0 0

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1761451

HTH

New Member

Re: Forward Web Traffice from PIX to outside Proxy

Will this work with PIX version 6.3 as well?

Silver

Re: Forward Web Traffice from PIX to outside Proxy

I think he is wrong. I assume this is what

you're trying to accomplish:

1- There is web proxy like BlueCoat or Squid

on the Internet that you want Users on your

network to connect it. Users on your network

get the setting through WPAD or something like

that.

2- The BlueCoat or Squid Proxy will intercept

Web traffics on your network, check URL and

content filtering, Antivirus, etc. If

everything is fine, users on your network can

access the site.

Are my assumption correct?

The example he gave you is that the Pix will

do the URL filtering with a 3rd parties apps

like Websense or N2H2. It can not do what

you described.

What you're trying to accomplish can be done

with WPAD.

New Member

Re: Forward Web Traffice from PIX to outside Proxy

I am trying to just redirect all http and https traffic to a proxy that is outside my network (the provider). Once it gets to the provider, it will keep on going out through them and the response will come back through them and to me.

Silver

Re: Forward Web Traffice from PIX to outside Proxy

In that case, it is very simple:

no static (inside,outside) tcp interface www www netmask 255.255.255.255

nat (inside) 1 0 0

global (outside) 1 interface

access-list Internal permit icmp any any log

access-list Internal permit tcp any host Proxy_Server eq 3128 log

access-list Internal deny ip any any log

access-list External permit icmp any any log

access-list External deny any any log

access-group Internal in interface inside

access-group External in interface outside

The question is how does the users' browser

get update? WPAD or what?

New Member

Re: Forward Web Traffice from PIX to outside Proxy

I not really sure what you mean when you say "how does the users' browser get update"

And I am not sure what WPAD is either.

Silver

Re: Forward Web Traffice from PIX to outside Proxy

"in case a user did not get the browser policy update."

How does users' browser get policy update such

as proxy settings?

New Member

Re: Forward Web Traffice from PIX to outside Proxy

I can push proxy setting changes down via AD Group Policies, but I don't want to depend on that. For instance, if a rouge PC plugs into our network, and they are not able to get the browser proxy policy via AD (since they are not on our domain), I would like them to be proxied via the Firewall.

267
Views
0
Helpful
8
Replies