I ran into a problem and hope someone can give me idea how to workaround on this.
Between the HQ ASA and remote office ASA, a vpn is setup but remote internet traffic does not get inspect by HQ IronPort. Is there a way to do this? Here is the detail:
A layer 2 link between HQ and remote office for site to site vpn. HQ and Remote ASA has a dedicate interface to setup this vpn on this layer 2 link.
VPN is working fine but when the remote internet traffic is browsing through HQ does not get inspect by IronPort.
HQ IronPort is configured as transparent. The internet traffic from remote leave remote ASA and arrive to HQ ASA then immediately travel to the outside interface of HQ ASA for internet. Can this internet traffic being redirect to IronPort before go out to internet? On HQ ASA has wccp setup with redirect to the inside interface, it was also added another wccp to redirect on the vpn interface of HQ ASA and when test, got response the web page cannot be display. Here is the wccp setup on HQ ASA: wccp 90 redirect-list IRONPORT_HTTP wccp interface inside 90 redirect in wccp interface toMTL 90 redirect in -- removed for internet working (the toMTL interface is for vpn to remote office)
The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
I will suggest you discuss with your Cisco ASA Sales representative on having this limitation on the ASA be lobbied for future support.
If the traffic from remote network really needs to go through the WSA, you will need to do explicit forward of the client traffic through the vpn tunnel to the WSA on the headend for now.
An option for you will be to configure the remote network traffic for explicit forward redirection for now.
This will mean either have the browser pointing to the WSA proxy, or configure for wpad/pac file. This will all depend on how the routing of the remote traffic is through the vpn.
The WSA follows the routing configured on it. The remote traffic will have to first reach the WSA to be proxied, then the WSA handles the forwarding of the proxied traffic. The client traffic reaching the WSA will depend on vpn routing.
I will suggest that you consult with your Cisco Ironport Sales/Systems Engineer for the best design for your scenario, as it is harder to work out, without the clear picture of what the vpn is and the routing of remote end traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :