• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1728
  • Last Modified:

Barracuda 410 webfilter install with HP core switch and Cisco ASA

We have a Cisco ASA using ip address 10.10.100.1 and a HP 3500 who points to the ASA as the gateway, the switch is running on 10.10,1.1 and there is a VLAN WAN connection between the two devices.

We want to inline install the Barracuda between the HP 3500 and the Cisco ASA but there seems to be an issue with traffic being able to pass to the internet when we make the connection.

We have given the Barracuda an address of 10.10.100.200. I found a short brief mention about opening ports on the ASA but this has not been done yet and it appeared this was for connecting with other WAN routers etc.

So what config changes need to happen with the ASA or HP 3500 in order to make sure that traffic can pass between them and through the Web Filter.
0
dpcsit
Asked:
dpcsit
1 Solution
 
TheTullCommented:
I'm not sure you need any special configurations on either device as the Barracuda should act more like a switch (layer-2 device) and just forwards through the traffic (it analyzes it too of course as it forwards it through).  A working setup I've seen has the LAN port (with the IP configured on it) connected to the core network switch and the WAN port connected to a small switch that also has the firewall connected to it (this is a 4 port switch used exclusively between the firewall and Barracuda).   Here's a simple schematic of what I'm talking about if you can understand it:

PC <===> Core Switch <===> LAN - Barracuda - WAN <===> Small 4-port Switch <===> Firewall <==> Internet

The Barracuda should then have Client IP Visibility for HTTP & Enable proxy on WAN set to yes and the traffic should flow through OK.  I should also mention that all interfaces were on the same subnet (same VLAN).  You aren't using the Barracuda as a default gateway for PCs right?  This IP should still be your ASA if you want the Barracuda to work as an inline device.
0
 
Robert Sutton JrSenior Network ManagerCommented:
If you have a firewall/VPN tunnel device when the Barracuda Web Filter is inline behind the firewall, the VPN traffic will not be filtered unless you perform the steps below.
•      Create a rule in your firewall blocking all port 80 traffic outbound.
•      Have that traffic re-directed to the Barracuda.
•      Then create a rule allowing all port 80 traffic coming from the Barracuda Web Filter specifically to be allowed.
•      Turn off the Pass Client IP addresses through WAN port option on the Basic > IP Configuration page, effectively enabling the Barracuda as the source IP for all outbound packets.
•      Lastly, on Basic > IP Configuration set Enable proxy on WAN to Yes.
This will allow all of the VPN traffic to be filtered while being able to keep the Barracuda Web Filter on the internal network.
0
 
dpcsitAuthor Commented:
Found the issue the asa and core switch were in a 255.255.255.253 subnet allowing only two devices on the subnet, change it to /29 and the unit is allow traffic to pass through it.

However I can not ping the device nor can I access the web interface.

Unit is on 10.10.100.3 and I am on 10.10.10.7 on a different vlan. I can ping the barracuda from both the ASA and the core switch. But when I ping it directly from my pc I get a device timeout.

Is it because of the subnets being different? How can I get the barracuda to allow traffic from my pc?

I can get to the web fine I just need to access the cuda now!
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
dpcsitAuthor Commented:
I checked the routes in the core switch and they are all pointing to the VLANS with the status of connected.

10.10.100.0/29 goes to the WAN, 10.10.10.0/23 goes to the DATA VLAN all the PCs run on.
0
 
dpcsitAuthor Commented:
Actually I found the answer, all I needed was a static route from the Barracuda back to the main core switch in the 100 vlan so once I routed back to hat device for the subnet my pc was on I was able to access it and I also setup a route to the vlan for the servers so I could interface it with LDAP.
0
 
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now