Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

Transparent web proxy using IronPort and ASA 5500 Series

Hi all,

I'm on a project of configuring an ASA 5500 Series with an IronPort for web filtering.

To explain the architecture we have muliple client sites (with their own LAN) connected to our main site (with SDSL connection) on the backbone network to get Internet Access trough an ASA 5500 Series.

A recent need is to deploy an ironPort web appliance on the backbone network and that the ASA is able to redirect traffic from port 80,443 to the IronPort proxy for web filtering.

We need to deploy this without touching the client browser's configuration, only the ASA 5500 et IronPort.

So I was thinking of manually redirecting some port on the inside interface of the ASA (TCP 80, TCP 443) to the IronPort.

Does anyone knows any other method which could be more automatic (withtout touching to redirection on ASA) ?

Tranks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Transparent web proxy using IronPort and ASA 5500 Series

Maxime,

They don't have to be on the same segment, but everyones' outbound traffic has to be going out the same interface.  ie. you can't have users' traffic all headed for the internet via the inside interface, and have the WSA on a DMZ interface.  The WCCP can't redirect "through" the firewall to the WSA device in the DMZ, it has to be reachable via the inside interface.

In your drawing,   If you put a switch between the backbone router, and the firewall, and connect that to the the inside interface of the ASA, and connect the WSA to that switch, you're all set...

5 REPLIES

Transparent web proxy using IronPort and ASA 5500 Series

Community Member

Re: Transparent web proxy using IronPort and ASA 5500 Series

Thank you Ken for you whitepaper.

I read the configuration and it is mentioned that the IronPort and clients are not on the same interface (segment). I also read that the IronPort Appliance and clients must be on the same ASA interface to avoid passing trough the ASA itself again.

Which of these two is right ?

In my architecture I'm not able to set the IronPort on the same interface as clients (2 differents interfaces and subnet).

I attached a document explaining the architecture

My bad I saw that the WSA and clients are on the same ASA interface in the inside networks. Still, in my configuration is it possible to enable WCCP ?

I also so that it is possible to implement a route-map which perfrom PBR by changing the next-hop ip for specific traffic but this function is not avalaible on ASA as i heard. Can anyone confirm that ?

Ce message a été modifié par: Maxime GERGES

Re: Transparent web proxy using IronPort and ASA 5500 Series

Maxime,

They don't have to be on the same segment, but everyones' outbound traffic has to be going out the same interface.  ie. you can't have users' traffic all headed for the internet via the inside interface, and have the WSA on a DMZ interface.  The WCCP can't redirect "through" the firewall to the WSA device in the DMZ, it has to be reachable via the inside interface.

In your drawing,   If you put a switch between the backbone router, and the firewall, and connect that to the the inside interface of the ASA, and connect the WSA to that switch, you're all set...

Community Member

Re: Transparent web proxy using IronPort and ASA 5500 Series

Thank you Ken, so if i understand the all thing my clients and the IronPort need to be on the same interface in order to not pass traffic back again to the ASA. The both are communicated directly.

I will ask if the architecture can be changed.

If the topology can't be changed, do you know if it is possible to use PBR with route map and redirect some traffic (HTTPS/HTTP) with the command set ip next-hop address ip-wsa ; i heard that it is possible on any router but on ASA I heard the both.

Re: Transparent web proxy using IronPort and ASA 5500 Series

I don't think that the WSA has to be on the same segment as the ASA, it just has be accessible via the same interface. 

So the box I put between the backbone and firewall in my drawing could be a router...

You can use PBR to route traffic to the WSA, and that doesn't have the same interface limitations that working with an ASA does. I've not done it, so I won't be much help...

9647
Views
0
Helpful
5
Replies
CreatePlease to create content