topic Re: ASA as an http proxy in Network Security

ASA as an http proxy

davep — Mon, 11 Mar 2019 18:15:08 GMT

Does anyone know if the ASA can be configured to redirect ht

tp traffic to a Proxy Server?

Thank you,

Dave

Re: ASA as an http proxy

August Ritchie — Thu, 22 Jul 2010 19:39:33 GMT

As far as redirecting HTTP traffic you can redirect using url-filtering or wccp. URL filtering seem more like what you are wanting. It works with the following:

Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

WCCP redirection is for sending traffic to a caching engine which is more used for speeding up connections via caching.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445

Re: ASA as an http proxy

davep — Thu, 22 Jul 2010 19:44:47 GMT

August,

Thank you for the response. Unfortunately, in this case it is a web filter like WebSense, but it is not one supported through the url-server command.

And, it is not a cache engine either.

Any other options?

Thank you,

Dave

Re: ASA as an http proxy

August Ritchie — Thu, 22 Jul 2010 19:52:11 GMT

Unfortunately, these are the only ways I know of for an ASA to redirect HTTP.

Some alternative none ASA ways would be to use a router before the ASA to do policy-based routing for all HTTP traffic to a different next hop (I.E. filtering server). The ASA doesn't support Policy Based Routing, thats why it is not an option on the ASA. Or to run the filter transparently inline between the ASA and inside (I don't know to much about this feature).

Re: ASA as an http proxy

davep — Thu, 22 Jul 2010 20:00:06 GMT

August,

Again, thank you for the reply. Your last option (transparent between the internal network and the ASA) was my recommendation. However, the filter box can only use 1 nic.

Thank you,

Dave

Re: ASA as an http proxy

August Ritchie — Thu, 22 Jul 2010 20:06:55 GMT

Hmm what about the policy based routing option? Is their a router or L3 switch behind the ASA that could support policy based routing?

Re: ASA as an http proxy

Magnus Mortensen — Sat, 24 Jul 2010 03:24:48 GMT

Dave,

If my memory serves me right, with the Websense platform you can go two ways...

Option 1) PIX/ASA integration using the url-server keyword.

As you noted, this option is out... So lets roll on to.....

Option 2) Span session based redirect

The other way Websense can work is by spanning your internet traffic to the monitorring port of the websense appliance. WHen configured as such, it watches the HTTP traffic similar to a promiscous IPS would. When it detects a web connection that should be blocked, it generates two RESET packets and sends one towards the HTTP client and one towrds the HTTP server. In this config you need to use the 'monitor session' keywords on an switch that the inside of the ASA connects to. You would then span that port (the one between the ASA inside interface and your switch) to the websense monitor port.

Is option 2 what our are looking for?

- Magnus