Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble with One-Off Deployments & LAN Traffic

Hi All,

I have attached a very high-level drawing representing the Infrastructure I support. I am having trouble understanding "One-Off Deployments."

As my drawing depicts, traffic from clients goes over the internet via DMVPN and terminates on the Cisco ASA 5520 in my data center. The ASA then performs firewalling functions and forwards traffic onwards to the data server.  Here's the kicker: The traffic also must be filtered by a Web Application Firewall (WAF) per company policy, but our WAF is a one-off deployment.

I've always been taught and understood that, "In order for a device to affect traffic (emulate, filter, firewall, etc....), traffic must flow through it.  If that's the case, and if both the data server and the WAF are connected to a common core switch, how is the WAF filtering traffic BEFORE it goes to the data server without being directly in between the switch and the server?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Trouble with One-Off Deployments & LAN Traffic

Dean

No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.

This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.

Jon

2 REPLIES
Hall of Fame Super Blue

Trouble with One-Off Deployments & LAN Traffic

Dean

No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.

This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.

Jon

New Member

Trouble with One-Off Deployments & LAN Traffic

A-HA! Thank you Jon, you actually led me to my answer.  The WAF is NATing/Proxying to web servers in the back end, so not all traffic flows to it, only company websites. So if a user tries to go to a company website, the DNS resolves to the VIP on the WAF for the back-end web server.  So no traffic passes through it unless it is destined for a web server. In that case, it IS the destination.

Love that moment when it clicks, lol.

Thanks again.

108
Views
0
Helpful
2
Replies