Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to connect WSA with L4TM Simplex mode and NAT?

Hello.

We have WSA s170 and using it like proxy with NAT.

M1 - vlan 10 - for management

P1 - vlan 20 -  recieve Client's requests (Private IP addresses)

P2 - vlan 30 - (DMZ) connected to Internet with Public IP.

 

User's vlans 101-105 AccessSwitches] <--->g0/0[L3-SW1]g0/1<--v20--> P1[WSA(NAT)]P2 <--v30-->g0/3[L3-SW1]g0/4<-v30->[ASA Firewall]<-->(Internet)

  How do i need connect T1/T2 ports of the WSA for Simplex mode start work? WSA configured with NAT.

Do I need configure on L3SW1:

1) mirror g0/0 ingress traffic to g0/11  and connect T1 port of WSA to g0/11

 

2) mirror g0/4 ingress traffic to g0/12 and connect  T2 port of WSA to g0/12?

 

L4 Traffic Monitor (L4TM) deployment is independent of the Web Proxy deployment. When connecting
and deploying the L4 Traffic Monitor, consider the following:

a)  Physical connection. You can choose how to connect the L4 Traffic Monitor to the network. 

b)  Network address translation (NAT). When configuring the L4 Traffic Monitor, connect it at a point in your network where it can see as much network traffic as possible before getting out of your egress firewall and onto the Internet. It is important that the L4 Traffic Monitor be ‘logically’ connected after the proxy ports and before any device that performs network address translation (NAT) on client IP addresses.

c)  L4 Traffic Monitor action setting. The default setting for the L4 Traffic Monitor is monitor only. After setup, if you configure the L4 Traffic Monitor to monitor and block suspicious traffic, ensure that the L4 Traffic Monitor and the Web Proxy are configured on the same network so that all clientsare accessible on routes that are configured for data traffic.

Or I need mirror g0/1 egress traffic to g0/12 and connect T2 port of WSA to g0/12? What about wrote in b) " It is important that the L4 Traffic Monitor be ‘logically’ connected after the proxy ports and before any device that performs network address translation (NAT) on client IP addresses"????

I realy confused.

 

  • Web Security
112
Views
0
Helpful
0
Replies