I am trying to use my 5510 to treat traffic from my lan to our mpls and to the internet in 2 different ways. Traffic from lan to corporate resources should be unmolested, however the mpls is providing internet access via a proxy server that is managed by the ISP. I want all this traffic scanned but not blocked. I also want to be able to specify certain people that can use my public internet link which I want scanned and will be governed by a strict white\black list acl while undisturbing their path to the mpls corporate resources. I am trying to figure out the best way to do this. I know it will involve some combination route maps and static\default routes but I am not clear on the last 10% of how to accomplish this. I have a 6500 series switch behind the asa that I hope to accomplish the routing with. Any ideas \ guidance would be appreciated.
I am assuming that both corporate resources and Internet connection goes through the ISP MPLS network.
"Traffic from lan to corporate resources should be unscanned/blocked" --> check with your ISP whether they are scanning internal traffic ie: traffic between LAN to corporate resources, OR/ they are only scanning if traffic is leaving for the Internet.
" I want all this traffic scanned but not blocked." --> this really depends on what your ISP proxy server is doing, are they doing scanning only or scanning plus web filtering?
" I also want to be able to specify certain people that can use my public internet link which I want scanned and will be governed by a strict white\black list acl" --> again, this really depends on what is configured on your ISP proxy server.
"while undisturbing their path to the mpls corporate resources" --> how do you determine what proxy server to use? through PAC file, or transparently through your ISP proxy server. I would confirm with ISP whether they are doing proxy inspection for corparate resources traffic as well as internet traffic.
I don't think route-maps/static will work, if both corporate resources and Internet is through 1 MPLS link. The differentiation would be within the MPLS network itself, which I believe is managed by your ISP, right?
1) I don't understand how you are going to extend the proxy/scanning functionality if your ISP is the one who manages the proxy functionality. Unless you have access to the proxy portal, I don't think you can have any extra functionality/feature.
2) Once you have configured the browser to use a PAC file for HTTP/HTTPS traffic, all web traffic will be routed towards that particular proxy server which will then use your MPLS link. If you have other public connection and you only want scanning to be done by your first ISP via MPLS then route the traffic back towards another public link, I don't think it is possible (even if it's possible, your first ISP wouldn't want to scan traffic which is not destined towards their network to go through their network just for scanning).
If you would like to scan web traffic destined for another public internet, then you would need to request the same type of service (proxy server) through your second ISP/public internet. Or alternatively, you can purchase/manage proxy server yourself (ie: for Cisco product: Ironport for an appliance service, or ScanSafe for cloud service).
In my attachment, I'm not sure if you can see it or not. It illustrates the separation of the MPLS and the public internet. This is actually a rather standard configuration that I know many companies are already implementing.
Traffic to the MPLS takes the default route, traffic to the mpls with the ISP proxy applied also goes through the default route.
Traffic that I want to use the public internet will have to be either directed via static route or route map.
I want to scan traffic into and out of my lan coming from both public internet and mpls regardless of what they are doing because I have no real insight into what they are doing. My company is part of a large conglomerate that has global rules that we must follow. I have no visibility into the traffic passing to the mpls other than netflow on the MPLS router interface that is facing my lan.
I am just trying to figure out how to scan all traffic that traverses the firewall and how to provide a secondary public internet access selectively.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :