Cisco ASA-5520 Send all HTTP and HTTPS traffic to Public External Proxy Server and Port

TODD PETERSON — Tue, 12 Mar 2019 06:09:22 GMT

Current Device is a Cisco ASA-5520

Software Version = 9.1(5)21

ASDM Version = 7.3(2)102

Outside Public IP = xx.xx.xx.xx

I have purchased a Private Proxy Service which gives me a Public IP Proxy Server and Port Number, I have this working from a browser so I know the Proxy Service works correctly. I am trying to figure out how to send all HTTPS and HTTP traffic to the Proxy Server IP and Port number on the ASA-5520. I don't want to have to configure all my client browser to use the proxy server and port number. For the purposes of this example lets say the public proxy server ip = 10.10.10.10 and the port is 25510

Their must me a way to do this and I am just not sure: Below is my Config with a few things blocked out.

ASA-5520# show run
: Saved
:
: Serial Number: XXXXXXXXX
: Hardware: ASA5520, 3072 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(5)21
!
hostname ASA-5520
domain-name XXXXXXX
enable password XXXXXXXXX encrypted
names
ip local pool vpnpool 172.16.75.100-172.16.75.110
!
interface GigabitEthernet0/0
description OUTSIDE Network DHCP FIOS
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
description DMZ 50 Network 172.16.50.0/24
nameif dmz
security-level 50
ip address 172.16.50.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description INSIDE 100 Network 10.0.100.0/24
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.100.1 255.255.255.252
!
banner login
banner login ########################################
banner login ### UNATHORIZED ACCESS PROHIBITED ###
banner login ########################################
banner login
banner motd
banner motd ##########################################################################
banner motd ### WELCOME PETE, ENJOY YOUR SESSION, DON't FORGET to WRITE MEMEORY! ###
banner motd ##########################################################################
banner motd
boot system disk0:/asa915-21-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXXXX
object network INSIDE-NET
subnet 10.0.100.0 255.255.255.0
object network DMZ-NET
subnet 172.16.50.0 255.255.255.0
object network cam1- xxxx
host 172.16.50.4
object network cam2- xxxx
host 172.16.50.4
object network cam3- xxxx
host 172.16.50.4
object network cam4- xxxx
host 172.16.50.4
object network cam5- xxxx
host 172.16.50.4
object network cam6- xxxx
host 172.16.50.4
object network cam7- xxxx
host 10.0.100.97
object network SSH- xxx
host 10.0.100.88
object network SW1-3033
host 10.0.100.88
object network SW2-3034
host 10.0.100.88
object network SW3-3035
host 10.0.100.88
object network SW4-3036
host 10.0.100.88
object network R1-3037
host 10.0.100.88
object network R2-3038
host 10.0.100.88
object network R3-3039
host 10.0.100.88
object network R4-3040
host 10.0.100.88
object network R5-3041
host 10.0.100.88
object network R6-3042
host 10.0.100.88
object network VERIZON- xxxxx
host 172.16.50.3
object network VERIZON- xxxxx
host 172.16.50.3
object network VERIZON- xxxxx
host 172.16.50.3
object network VERIZON- xxxxx
host 172.16.50.3
object network PDU1- xxxxx
host 172.16.50.5
object network PDU2- xxxxx
host 172.16.50.6
object network PETEWKS-RDP- xxxxx
host 10.0.100.10
object network PETELAP-RDP- xxxxx
host 10.0.100.20
object network PETEWKS-BITTORENT- xxxxxx
host 10.0.100.10
object network PETEWKS-FTP-xxxx
host 10.0.100.10
object network VERIZON-WAP- xxxxx
host 172.16.50.4
object network NETWORK_OBJ_10.0.100.0_Net1
subnet 10.0.100.0 255.255.255.0
object network NETWORK_OBJ_172.16.50.0_Net2
subnet 172.16.50.0 255.255.255.0
object network NETWORK_OBJ_172.16.75.0_RemotePool
subnet 172.16.75.0 255.255.255.0
object network PRINTER
host 10.0.100.18
object network rdp-3389
host 172.16.50.104
access-list outside_access_in extended permit tcp any object cam1-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam2-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam3-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam4-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam5-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam6-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object cam7-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object SSH-xx eq xxx
access-list outside_access_in extended permit tcp any object SW1-3033 eq 3033
access-list outside_access_in extended permit tcp any object SW2-3034 eq 3034
access-list outside_access_in extended permit tcp any object SW3-3035 eq 3035
access-list outside_access_in extended permit tcp any object SW4-3036 eq 3036
access-list outside_access_in extended permit tcp any object R1-3037 eq 3037
access-list outside_access_in extended permit tcp any object R2-3038 eq 3038
access-list outside_access_in extended permit tcp any object R3-3039 eq 3039
access-list outside_access_in extended permit tcp any object R4-3040 eq 3040
access-list outside_access_in extended permit tcp any object R5-3041 eq 3041
access-list outside_access_in extended permit tcp any object R6-3042 eq 3042
access-list outside_access_in extended permit tcp any object VERIZON-xxxx eq xxxx
access-list outside_access_in extended permit udp any object VERIZON-xxxxx eq xxxx
access-list outside_access_in extended permit udp any object VERIZON-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object VERIZON-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PDU1-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PDU2-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PETEWKS-RDP-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PETELAP-RDP-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PETEWKS-BITTORENT-xxxx eq xxxx
access-list outside_access_in extended permit tcp any object PETEWKS-FTP-xx eq xx
access-list outside_access_in extended permit tcp any object VERIZON-WAP-xxxx eq xxxx
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any object rdp-xxxx eq xxxx
access-list outside_access_in extended permit udp any object rdp-xxxx eq xxxx
access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******
access-list Split_Tunnel_List_ACL standard permit 10.0.100.0 255.255.255.0
access-list Split_Tunnel_List_ACL standard permit 172.16.50.0 255.255.255.0
access-list dmz_access_in extended permit tcp any object PRINTER eq 9100
access-list dmz_access_in extended permit udp any object PRINTER eq 9100
access-list dmz_access_in extended permit udp any object PRINTER eq snmp
pager lines 24
logging enable
logging timestamp
logging list ALL-MESSAGES level emergencies
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap warnings
logging history alerts
logging asdm debugging
logging mail emergencies
logging facility 21
logging device-id hostname
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
icmp permit any inside
asdm image disk0:/asdm-732-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_Net1 NETWORK_OBJ_10.0.100.0_Net1 destination static NETWORK_OBJ_172.16.75.0_RemotePool NETWORK_OBJ_172.16.75.0_RemotePool
nat (dmz,outside) source static NETWORK_OBJ_172.16.50.0_Net2 NETWORK_OBJ_172.16.50.0_Net2 destination static NETWORK_OBJ_172.16.75.0_RemotePool NETWORK_OBJ_172.16.75.0_RemotePool
!
object network INSIDE-NET
nat (inside,outside) dynamic interface
object network DMZ-NET
nat (dmz,outside) dynamic interface
object network cam1-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam2-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam3-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam4-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam5-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam6-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network cam7-xxxx
nat (inside,outside) static interface service tcp 8097 8097
object network SSH-xx
nat (inside,outside) static interface service tcp xxx xxx
object network SW1-3033
nat (inside,outside) static interface service tcp 3033 3033
object network SW2-3034
nat (inside,outside) static interface service tcp 3034 3034
object network SW3-3035
nat (inside,outside) static interface service tcp 3035 3035
object network SW4-3036
nat (inside,outside) static interface service tcp 3036 3036
object network R1-3037
nat (inside,outside) static interface service tcp 3037 3037
object network R2-3038
nat (inside,outside) static interface service tcp 3038 3038
object network R3-3039
nat (inside,outside) static interface service tcp 3039 3039
object network R4-3040
nat (inside,outside) static interface service tcp 3040 3040
object network R5-3041
nat (inside,outside) static interface service tcp 3041 3041
object network R6-3042
nat (inside,outside) static interface service tcp xxxx xxxx
object network VERIZON-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network VERIZON-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network VERIZON-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network VERIZON-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network PDU1-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network PDU2-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network PETEWKS-RDP-xxxx
nat (inside,outside) static interface service tcp xxxx xxxx
object network PETELAP-RDP-xxxx
nat (inside,outside) static interface service tcp xxxx xxxx
object network PETEWKS-BITTORENT-xxxx
nat (inside,outside) static interface service tcp xxxx xxxx
object network PETEWKS-FTP-xx
nat (inside,outside) static interface service tcp xxxxxx
object network VERIZON-WAP-xxxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
object network PRINTER
nat (inside,dmz) static 172.16.50.18
object network rdp-xxxx
nat (dmz,outside) static interface service tcp xxxx xxxx
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.100.0 255.255.255.0 inside
http 192.168.100.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map dynmap 65535 set pfs
crypto dynamic-map dynmap 65535 set ikev1 transform-set vpnset
crypto dynamic-map dynmap 65535 set security-association lifetime seconds 86400
crypto dynamic-map dynmap 65535 set security-association lifetime kilobytes 4608000
crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 1
ssh stricthostkeycheck
ssh 10.0.100.0 255.255.255.0 inside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
dhcpd auto_config outside
!
dhcpd address 172.16.50.100-172.16.50.110 dmz
dhcpd dns 8.8.8.8 208.67.222.222 interface dmz
dhcpd lease 86400 interface dmz
dhcpd enable dmz
!
dhcpd address 10.0.100.100-10.0.100.110 inside
dhcpd dns 8.8.8.8 208.67.222.222 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.41 source outside
ntp server 192.5.41.40 source outside prefer
webvpn
anyconnect-essentials
group-policy vpnclientgroup internal
group-policy vpnclientgroup attributes
dns-server value 8.8.8.8 208.67.222.222
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List_ACL
default-domain value xxxxxxxxx
username XXXXXXX password XXXXXXXXXXXXX encrypted privilege 15
tunnel-group vpnclientgroup type remote-access
tunnel-group vpnclientgroup general-attributes
address-pool vpnpool
default-group-policy vpnclientgroup
tunnel-group vpnclientgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map exit
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:XXXXXXXXXXXXXXXX
: end

Hi,You can configure a manual

Vibhor Amrodia — Fri, 19 Jun 2015 11:15:56 GMT

Hi,

You can configure a manual NAT statement like this:-

object network protected-network
subnet 0.0.0.0 0.0.0.0
!
object network proxy
host 5.52.53.5
!
object service original-http
service tcp destination eq www

object service original-https
service tcp destination eq https
!
object service proxy-8080
service tcp destination eq 8080
!
nat (INSIDE,OUTSIDE) source dynamic protected-network interface
destination static protected-network proxy service
original-http proxy-8080

nat (INSIDE,OUTSIDE) source dynamic protected-network interface
destination static protected-network proxy service
original-https proxy-8080

Thanks and Regards,

Vibhor Amrodia

topic Cisco ASA-5520 Send all HTTP and HTTPS traffic to Public External Proxy Server and Port in Network Security

Cisco ASA-5520 Send all HTTP and HTTPS traffic to Public External Proxy Server and Port

Hi,You can configure a manual