Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.
COURSE of the MONTH
13 days, 5 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
web usage reports after PAT to external scansafe web proxy service
Posted on 2012-12-23
Hi We recently put a NAT /PAT inside to outside interface (on ASA firewall) and port 80/http to 8080 port forward -direct to Cisco's scansafe proxy servers IP address on the web.
We have some "exceptions" for http sites we dont want filtered - these are ok and also listed in the ASA firewall
We did this to solve a number of problems
1. Apple IPAD's - wifi - avoid manual proxy in browser
2 avoid manual proxy entry for all different types of browser
basically now proxy config is all in the ASA firewall.
Problem is now that due to the ASA NAT the scansafe reports show only the "outside" IP as the no1 user - basically the only user. - so now i cant get meaningful web usage reports.
Before with proxy ticked in users client browser - THe reports showed individual usage.
I want to keep what we have done on the ASA - I dont want to do a PAC file etc.
Does anyone know how I can go about getting the Scansafe to show individual web usage again? - something i can do on ASA?
Thanks
We have some "exceptions" for http sites we dont want filtered - these are ok and also listed in the ASA firewall
We did this to solve a number of problems
1. Apple IPAD's - wifi - avoid manual proxy in browser
2 avoid manual proxy entry for all different types of browser
basically now proxy config is all in the ASA firewall.
Problem is now that due to the ASA NAT the scansafe reports show only the "outside" IP as the no1 user - basically the only user. - so now i cant get meaningful web usage reports.
Before with proxy ticked in users client browser - THe reports showed individual usage.
I want to keep what we have done on the ASA - I dont want to do a PAC file etc.
Does anyone know how I can go about getting the Scansafe to show individual web usage again? - something i can do on ASA?
Thanks
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
1 Comment
Active today
looks similar to this issue raised
using syslog and do manual mapping - doesnt seems operationally friendly
https://supportforums.cisco.com/message/194755#194755
"Another way might be to add an access-list on the inside interface and add logging to " ip any any " which would be logged to the syslog server. But this might cause a lot of traffic for the syslog server."
also saw in scansafe help doc stating below
https://scancenter.scansafe.com/portal/static/help/ScanCenterHelp/WSAAP3.html
(in case you need) online help - https://scancenter.scansafe.com/portal/static/help/ScanCenterHelp/
"Cisco ASA 5500 Series Adaptive Security Appliances with version 8.3 or later of the operating system can be configured to enable user names, internal IPs, and domain groups to be sent via PIM to Cisco Cloud Web Security without needing to make end-user changes. There are several ways to achieve this but Cisco recommends using explicit proxy, PAC file or WPAD."
using syslog and do manual mapping - doesnt seems operationally friendly
https://supportforums.cisco.com/message/194755#194755
"Another way might be to add an access-list on the inside interface and add logging to " ip any any " which would be logged to the syslog server. But this might cause a lot of traffic for the syslog server."
also saw in scansafe help doc stating below
https://scancenter.scansafe.com/portal/static/help/ScanCenterHelp/WSAAP3.html
(in case you need) online help - https://scancenter.scansafe.com/portal/static/help/ScanCenterHelp/
"Cisco ASA 5500 Series Adaptive Security Appliances with version 8.3 or later of the operating system can be configured to enable user names, internal IPs, and domain groups to be sent via PIM to Cisco Cloud Web Security without needing to make end-user changes. There are several ways to achieve this but Cisco recommends using explicit proxy, PAC file or WPAD."
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month13 days, 5 hours left to enroll
777 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.