Barracuda 410 webfilter install with HP core switch and Cisco ASA

We have a Cisco ASA using ip address 10.10.100.1 and a HP 3500 who points to the ASA as the gateway, the switch is running on 10.10,1.1 and there is a VLAN WAN connection between the two devices.

We want to inline install the Barracuda between the HP 3500 and the Cisco ASA but there seems to be an issue with traffic being able to pass to the internet when we make the connection.

We have given the Barracuda an address of 10.10.100.200. I found a short brief mention about opening ports on the ASA but this has not been done yet and it appeared this was for connecting with other WAN routers etc.

So what config changes need to happen with the ASA or HP 3500 in order to make sure that traffic can pass between them and through the Web Filter.
LVL 1
dpcsitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheTullCommented:
I'm not sure you need any special configurations on either device as the Barracuda should act more like a switch (layer-2 device) and just forwards through the traffic (it analyzes it too of course as it forwards it through).  A working setup I've seen has the LAN port (with the IP configured on it) connected to the core network switch and the WAN port connected to a small switch that also has the firewall connected to it (this is a 4 port switch used exclusively between the firewall and Barracuda).   Here's a simple schematic of what I'm talking about if you can understand it:

PC <===> Core Switch <===> LAN - Barracuda - WAN <===> Small 4-port Switch <===> Firewall <==> Internet

The Barracuda should then have Client IP Visibility for HTTP & Enable proxy on WAN set to yes and the traffic should flow through OK.  I should also mention that all interfaces were on the same subnet (same VLAN).  You aren't using the Barracuda as a default gateway for PCs right?  This IP should still be your ASA if you want the Barracuda to work as an inline device.
0
Robert Sutton JrSenior Network ManagerCommented:
If you have a firewall/VPN tunnel device when the Barracuda Web Filter is inline behind the firewall, the VPN traffic will not be filtered unless you perform the steps below.
•      Create a rule in your firewall blocking all port 80 traffic outbound.
•      Have that traffic re-directed to the Barracuda.
•      Then create a rule allowing all port 80 traffic coming from the Barracuda Web Filter specifically to be allowed.
•      Turn off the Pass Client IP addresses through WAN port option on the Basic > IP Configuration page, effectively enabling the Barracuda as the source IP for all outbound packets.
•      Lastly, on Basic > IP Configuration set Enable proxy on WAN to Yes.
This will allow all of the VPN traffic to be filtered while being able to keep the Barracuda Web Filter on the internal network.
0
dpcsitAuthor Commented:
Found the issue the asa and core switch were in a 255.255.255.253 subnet allowing only two devices on the subnet, change it to /29 and the unit is allow traffic to pass through it.

However I can not ping the device nor can I access the web interface.

Unit is on 10.10.100.3 and I am on 10.10.10.7 on a different vlan. I can ping the barracuda from both the ASA and the core switch. But when I ping it directly from my pc I get a device timeout.

Is it because of the subnets being different? How can I get the barracuda to allow traffic from my pc?

I can get to the web fine I just need to access the cuda now!
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

dpcsitAuthor Commented:
I checked the routes in the core switch and they are all pointing to the VLANS with the status of connected.

10.10.100.0/29 goes to the WAN, 10.10.10.0/23 goes to the DATA VLAN all the PCs run on.
0
dpcsitAuthor Commented:
Actually I found the answer, all I needed was a static route from the Barracuda back to the main core switch in the 100 vlan so once I routed back to hat device for the subnet my pc was on I was able to access it and I also setup a route to the vlan for the servers so I could interface it with LDAP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.