Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Proxy Server in DMZ

Dear All,

I have an ASA 5520 with inside, outside, and DMZ interfaces. I want to install a proxy server in  DMZ and have all my inside hosts go to the proxy first, before accessing the internet. If I don't want to configure a proxy-server address on each of my internal hosts, is there a way to configure port redirection on the ASA to automaticaly send all outbound internet traffic to the proxy server?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Proxy Server in DMZ

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.

As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

5 REPLIES
Cisco Employee

Re: Proxy Server in DMZ

ASA only supports N2H2 or Websense to perform URL filtering via the ASA itself, without having to configure proxy server settings on the inside hosts.

Alternatively, if the proxy server supports WCCP, that also works with ASA, however, proxy server needs to be connected to the inside interface as well where the internal hosts are connected. Proxy server can't be connected to the DMZ while the traffic is from inside.

Hope that helps.

New Member

Re: Proxy Server in DMZ

Hi,

The proxy is actually ISA and we will install it in DMZ as one leg design. If there is no option to redirect web traffic to ISA then we have last option of using proxy ip address in web browsers ?

Thanks

Cisco Employee

Re: Proxy Server in DMZ

Unfortunately there is no other option on ASA but to configure the proxy ip address on the web browser.

New Member

Re: Proxy Server in DMZ

Hi,

Thanks for your response.

What about using WCCP,

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html

Thanks

Cisco Employee

Re: Proxy Server in DMZ

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.

As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

536
Views
0
Helpful
5
Replies
CreatePlease login to create content