Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:

object network WSA-HOST

      host 10.0.210.2

object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0

object service ORIG-HTTP-PORT

      service tcp destination eq www

object service WSA-HTTP-DEST-PORT

      service tcp destination eq 8080

object service ORIG-HTTPS-PORT

      service tcp destination eq https

object service WSA-HTTPS-DEST-PORT

      service tcp destination eq https  << also tried 8080 etc.

nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT

nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT

This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:

Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.

Notification codes:  (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,

https://www.rbsdigital.com/)

The access log gives me the following:

1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -

1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -

If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.

The WSA and the decryption policies work fine in explisit mode.

Thanks in advance!

4 REPLIES

Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

I don't see any thing in your config referencing port 443....

Is there a reason you're not using WCCP?  The ASA and WSA both support it...

New Member

Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

Thanks Ken, updated the config in my original post to make it clear. Unfortunately WCCP isn't an option here because of where the users are sitting relative to the WSA, so forwarding in some other way like NAT, or explisitely configuring the clients, are the only options.

Thanks again!

Re: Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NA

1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -

Does the policy that this is hitting require authentication?  You're not getting any. (red)

You're hitting this policy:  BLOCK_ADMIN-HTTPS-NonLocalDestination...

RBSDigital.com isn't begin categorized... so if your policy blocks non-categorized stuff, it should be the first thing after the opening <

New Member

Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

The policy doesn't require authentication. Now here are two tests I did, seconds apart, from the same client on 10.0.4.140:

First one is where I use NAT as shown above:

1329757052.027 118 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -

1329757052.311 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -

Second test case is when I reconfigured the browser to explisitely use the WSA as a proxy on port 8080:

1329757138.274 344 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -

1329757138.566 200 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -

Non-categorised stuff should be passed through:

Global Policy
Identity: All
Pass Through: 1
Monitor: 65
Disabled Pass Through

Any thoughts ?

1600
Views
0
Helpful
4
Replies