Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5520 routing statements

Posted on 2009-05-06
8
Medium Priority
?
746 Views
Last Modified: 2012-05-07
We have a hosted web defense product that we have acquired - in order for the web-defense to work, it needs to have all of your port 80 traffic routed to their proxy server.  That said, we are looking for a way to route all outbound port 80 traffic from our network to the public proxy of our hosted web-defense product.  I have had mixed opinions as to whether or not this is possible.  Obviously our incoming traffic would have to remain as it is since we have many servers inside that use port 80.

What are our options?

Thanks!
0
Comment
Question by:rustyrpage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24321027
will start with enable access to port 80 from LAN to the proxy server.
then the rest, i would configure proxy for all clients with exception for local addresses. ( like on IE, do not use proxy for LAN address)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24321171
The reason for doing it on the gateway is for all non-domain computers & for ones that are not always on the LAN.
0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24332301
We had this same problem.
The solution is...............Microsoft ISA Prox server.
It will allow proxy chaining.
So you point all of your http,https,ftp etc traffic to the ISA and from the ISA redirect to the hosted proxy service (Websense in our case). I tried it with Sun, but didnt have time to work it out with the free solution so we stuck with the ISA. This would be done regardless of the firewall that you use. The FWSM (and I assume hte ASAs) will only allow http forwarding to a proxy server on your network.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 4

Expert Comment

by:CCI_IT
ID: 24332303
unfortunately, the proxy settings must be removed once the computer leaves your LAN.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24335001
If the hosted proxy supports WCCP, use that on the ASA to forward web traffic to it
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24336130
Can you explain WCCP a bit more

As far as using ISA - I am not sure what the point of that would be......for a majority of our users, we have them pointing to a proxy server internally that does an AD authentication - but it's for the ones that do not have the ability to change their proxy settings.
0
 
LVL 4

Accepted Solution

by:
CCI_IT earned 2000 total points
ID: 24336168
WCCP sounds like a much neater option if it is possible.
With the ISA, traffic goes from the machines, to the ISA at which point it is redirected to the upstream hosted proxy.  The flaw we have with this is that users who leave our LAN can not get out to the internet (since their browsers are trying to access the ISA). The only workaround we have found was to set up a VPN for those users, or to allow users to change their proxy settings.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24336193
The hosted one that we are using has a squid proxy server that does LDAP authentication, so that is similar to what we are doing.

CCI IT - for you, you could probably get by with writing a proxy auto-config file to say "if IP address is on our network, then use these proxy settings, if not, then don't use one".  The problem with going through the VPN is that all outside traffic for us would then come through our main internet pipe, which could be A LOT.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question