Cisco ASA insert-http X-Forwarded-For header-value

macomsupport
macomsupport used Ask the Experts™
on
Dear Experts,

We have configured our ASA to forward all outbound http traffic to an external proxy, using the below config. however while the traffic flows to the external proxy none of the proxy rules are applied because the ASA seems to be removing the username and internal IP in the HTTP header information. how can we configure the ASA not to remove the header information?

TIA Steve

###########Internal LAN###########
object network Internal-Proxy-Test
 subnet 172.x.x.0 255.255.255.0
##################################

########Destination Ports#########
object service original-http
 service tcp destination eq www
object service original-https
 service tcp destination eq 443
object service proxy-3128
 service tcp destination eq 3128
##################################
 
########Upstream Proxy#############
object network upstream-proxy
 host x.x.x.x
###################################

##############Protected Networks###########
object network scansafe-protected-network1
 subnet 0.0.0.0 248.0.0.0
object network scansafe-protected-network2
 subnet 8.0.0.0 254.0.0.0
object network scansafe-protected-network3
 subnet 11.0.0.0 255.0.0.0
object network scansafe-protected-network4
 subnet 12.0.0.0 252.0.0.0
object network scansafe-protected-network5
 subnet 16.0.0.0 240.0.0.0
object network scansafe-protected-network6
 subnet 32.0.0.0 224.0.0.0
object network scansafe-protected-network7
 subnet 64.0.0.0 192.0.0.0
object network scansafe-protected-network8
 subnet 128.0.0.0 224.0.0.0
object network scansafe-protected-network9
 subnet 160.0.0.0 248.0.0.0
object network scansafe-protected-network10
 subnet 168.0.0.0 252.0.0.0
object network scansafe-protected-network11
 subnet 172.0.0.0 255.240.0.0
object network scansafe-protected-network12
 subnet 172.32.0.0 255.224.0.0
object network scansafe-protected-network13
 subnet 172.64.0.0 255.192.0.0
object network scansafe-protected-network14
 subnet 172.128.0.0 255.128.0.0
object network scansafe-protected-network15
 subnet 173.0.0.0 255.0.0.0
object network scansafe-protected-network16
 subnet 174.0.0.0 255.0.0.0
object network scansafe-protected-network17
 subnet 175.0.0.0 255.0.0.0
object network scansafe-protected-network18
 subnet 176.0.0.0 255.0.0.0
object network scansafe-protected-network19
 subnet 177.0.0.0 255.0.0.0
object network scansafe-protected-network20
 subnet 178.0.0.0 255.0.0.0
object network scansafe-protected-network21
 subnet 179.0.0.0 255.0.0.0
object network scansafe-protected-network22
 subnet 180.0.0.0 252.0.0.0
object network scansafe-protected-network23
 subnet 184.0.0.0 252.0.0.0
object network scansafe-protected-network24
 subnet 188.0.0.0 252.0.0.0
object network scansafe-protected-network25
 subnet 192.0.0.0 255.128.0.0
object network scansafe-protected-network26
 subnet 192.128.0.0 255.224.0.0
object network scansafe-protected-network27
 subnet 192.160.0.0 255.248.0.0
object network scansafe-protected-network28
 subnet 192.169.0.0 255.255.0.0
object network scansafe-protected-network29
 subnet 192.170.0.0 255.254.0.0
object network scansafe-protected-network30
 subnet 192.172.0.0 255.252.0.0
object network scansafe-protected-network31
 subnet 192.176.0.0 255.240.0.0
object network scansafe-protected-network32
 subnet 192.192.0.0 255.192.0.0
object network scansafe-protected-network33
 subnet 193.0.0.0 255.0.0.0
object network scansafe-protected-network34
 subnet 194.0.0.0 254.0.0.0
object network scansafe-protected-network35
 subnet 196.0.0.0 252.0.0.0
object network scansafe-protected-network36
 subnet 200.0.0.0 248.0.0.0
object network scansafe-protected-network37
 subnet 208.0.0.0 240.0.0.0
object network scansafe-protected-network38
 subnet 224.0.0.0 224.0.0.0
###########################################
 
###########################################################Section for HTTP##################################################################################
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network1 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network2 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network3 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network4 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network5 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network6 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network7 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network8 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network9 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network10 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network11 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network12 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network13 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network14 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network15 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network16 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network17 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network18 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network19 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network20 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network21 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network22 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network23 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network24 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network25 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network26 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network27 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network28 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network29 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network30 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network31 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network32 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network33 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network34 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network35 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network36 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network37 upstream-proxy service original-http proxy-3128
nat (inside,outside) source dynamic Internal-Proxy-Test  interface destination static scansafe-protected-network38 upstream-proxy service original-http proxy-3128
##############################################################################################################################################################
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
I would run a packet capture to verify that it is the ASA.  That I am aware of the ASA should not be touching the data stream.
no longer an issue

Author

Commented:
no longer need to resolve this issue

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial