Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
2
Replies

Trouble with One-Off Deployments & LAN Traffic

Go to solution
Dean Romanelli
Level 4
Level 4

‎11-21-2013 01:39 PM - edited ‎03-07-2019 04:43 PM

Hi All,

I have attached a very high-level drawing representing the Infrastructure I support. I am having trouble understanding "One-Off Deployments."

As my drawing depicts, traffic from clients goes over the internet via DMVPN and terminates on the Cisco ASA 5520 in my data center. The ASA then performs firewalling functions and forwards traffic onwards to the data server.  Here's the kicker: The traffic also must be filtered by a Web Application Firewall (WAF) per company policy, but our WAF is a one-off deployment.

I've always been taught and understood that, "In order for a device to affect traffic (emulate, filter, firewall, etc....), traffic must flow through it.  If that's the case, and if both the data server and the WAF are connected to a common core switch, how is the WAF filtering traffic BEFORE it goes to the data server without being directly in between the switch and the server?

Labels:
Preview file
167 KB
15371474-One-Off Deployments.vsd.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-21-2013 02:05 PM

Dean

No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.

This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-21-2013 02:05 PM

Dean

No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.

This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.

Jon

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Jon Marshall

‎11-22-2013 06:09 AM

A-HA! Thank you Jon, you actually led me to my answer.  The WAF is NATing/Proxying to web servers in the back end, so not all traffic flows to it, only company websites. So if a user tries to go to a company website, the DNS resolves to the VIP on the WAF for the back-end web server.  So no traffic passes through it unless it is destined for a web server. In that case, it IS the destination.

Love that moment when it clicks, lol.

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card