topic Re: redirect http traffic to an internal proxy in Network Security

redirect http traffic to an internal proxy

avburren1 — Mon, 11 Mar 2019 19:50:34 GMT

Hi,

I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software.

I explain :

PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?

Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet

In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.

Hope you understand.

Thank you

Re: redirect http traffic to an internal proxy

mirober2 — Mon, 14 Feb 2011 20:41:50 GMT

Hello,

Take a look at the config guides for WCCP and URL filtering. Depending on what you want to achieve, one of those 2 features should accomplish what you're looking for:

WCCP:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html

URL filtering:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692

Hope that helps.

-Mike

Re: redirect http traffic to an internal proxy

avburren1 — Tue, 15 Feb 2011 10:41:04 GMT

URL Filtering implies to have a Web Sense Server or a Secure Computing SmartFilter Server and WCCP doesn't propose to redirect traffic toward a specifc IP + Port so i think its not possible to achieve what i want or maybe I don't understand those two features ?

Thanks.

Re: redirect http traffic to an internal proxy

avburren1 — Thu, 24 Feb 2011 15:15:02 GMT

No possibilities ?

Re: redirect http traffic to an internal proxy

Jennifer Halim — Thu, 24 Feb 2011 22:52:30 GMT

ASA does not currently support transparent proxy feature, however, it is in the roadmap.

After reading your post, you mention that some has explicit proxy settings, and some doesn't, hence you would like to redirect on the ASA if it's possible.

The easiest workaround:

- Block all outbound HTTP/HTTPS access on the ASA, except outbound from the proxy ip address. This will ensure that everyone else can't get to the Internet but via the proxy.

- Once you have implemented that, I am sure they learn that the only way to get internet access is via the proxy.

Second option is to use ASA DNAT feature (supported from ASA version 8.3 onwards). Your scenario of redirecting it after it gets out will definitely not work. I am thinking more on redirection on the inside interface - but I have never tested it.

Assuming that your internal network is 10.1.1.0/24, proxy server: 10.1.1.10:

object network obj-internet

subnet 0.0.0.0 0.0.0.0

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

object network obj-proxy

host 10.1.1.10

object service original-http

service tcp destination eq www

object service proxy-8080

service tcp destination eq 8080

nat (inside,inside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-internet obj-proxy service original-http proxy-8080

same-security-traffic permit intra-interface

Again, I have never tested DNAT in and out the same interface, but in theory, it should work.

Let me know your thoughts.

Re: redirect http traffic to an internal proxy

avburren1 — Fri, 25 Feb 2011 15:23:03 GMT

Ok.

I'am using ASA v8.2, Are you sure DNAT isn't supported ?

Thanks.

Re: redirect http traffic to an internal proxy

Jennifer Halim — Fri, 25 Feb 2011 21:54:12 GMT

YUP, 100% sure DNAT is not supported in 8.2