We help IT Professionals succeed at work.

Setup Cisco ASA 5520 to forward all 80/443 to Upstream Proxy

2,669 Views
Last Modified: 2012-07-05
Looking for the best way to forward all 80 and 443 traffic to Upstream Proxy (Barracuda Webflex Cloud Product)

Due to internal network issues and platforms difficult to use DHCP/DNS, WPAD to push proxy settings and it will be more transparent to do it at the firewall level.

WCCP seem close but not the right fit, I don't require any onsite caching, and WCCP seems to require a local device.
Comment
Watch Question

Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Upstream, so on the outside of the asa?
In that case, can't you just set the proxy as the default gateway for the asa?

Author

Commented:
Thanks for replying.  I only want 80 and 443 to be passed to the upstream proxy so unless I am missing something, I would not want to make the upstream proxy my default gateway as all traffice on all ports would route there vs just web traffic.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011

Commented:
To do what you want requires a CERN Compliant Web Proxy performing what is called Proxy Chaining.  To the best of my limited knowledge of ASA,...this is impossible,...ASA is not a "Web Proxy" device.

Author

Commented:
Guys that's for the input, I am reading and searching and trying configs, I will be back with a update shortly.

@pwwindell - I understand ASA is not a proxy, i guess a better term for me to use is redirect I am thinking as erniebeek suggests PBR should be possible at the port level.

@erniebeek I am going thru your suggestion and also working with the vendor for input.
Most Valuable Expert 2011

Commented:
@pwwindell - I understand ASA is not a proxy, i guess a better term for me to use is redirect I am thinking as erniebeek suggests PBR should be possible at the port level.

It doesn't matter what term you are using. I know what you are trying to do.  So nothing I said changes.

Author

Commented:
Support is telling me that I need to do a NAT Port forward.  Does that change any of your feedback guys?

Setting up a NAT Port Forward on the firewall to forward all port 80/443 traffic from the LAN to the External IP of their Proxy Host.
Most Valuable Expert 2011

Commented:
No.

Port-forward is a meaningless "non-term".    Ports are not routable addresses therefore they can't be forwarded,..they have to be translated instead.  So you can have Port Address Translation over Reverse-NAT (RNAT/PAT).  That is probably what they are trying to say.   The problem is that it is done only in the backwards direction (from outside to inside). So I don't think it will apply to you trying to go "forwards" (outbound).  Unless ASA has some unusual capabilities that I am unaware of.

Author

Commented:
Clearly I am trying to get up to speed with ASA, but I am going through this 26 page config (Port Redirection/Forwarding with NAT, Global, Static and ACL's) from Cisco and it does seem to allow internal users via a dynamic NAT rule to access Outside Networks with NAT.

I am not saying it's possible but I am going to go through the doc and contact Cisco and maybe try to apply it. It seems to speak to exactly what I need.

Again thanks for all the feedback.
Most Valuable Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I get the NAT stuff, and you are right about the loose terminology. So I hope to resolve this by later today after I go trough the config doc, and apply changes I will update the question and accept a solution.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Another option could be to use a router in front of the asa. These are able to do pbr (I know the Cisco's do and I'm sure others as well).

Author

Commented:
Erniebeek that might just be the solution I am looking for, I have a call into to Comcast Business to see if I can setup PBR on the border router and I am still looking at the Dynamic NAT and PAT option on the ASA.
Most Valuable Expert 2011

Commented:
If you are using the Comcast Business Gateway (built by SVC I think), you aren't going to get it to do anything.  You have to make sure whatever solution you try does not involve it.

Author

Commented:
After many design considerations I decided to get a Web Filter device to place on the network, using this device I hope to enable WCCP on the Cisco ASA to push the traffic to the cloud. This seems to be the best way to direct the traffic. I have posted a question related to WCCP.

Author

Commented:
WCCP works fine with to point all web traffic to the Web filter device, which is what I ended up doing.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.