cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


253
Views
0
Helpful
1
Replies
Highlighted
Beginner

Possible to hide all IP's behind an interface?

Hi all,

We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. 

However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc.

We  could deploy a proxy server in the wireless DMZ to make all the  wireless devices appear to web filter as a single IP, and apply a single  policy,

but that brings it's own problems.

My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?

I know this means we can only apply one web filter policy but this is an acceptable solution.

Thanks

Everyone's tags (5)
1 REPLY 1
Advisor

Possible to hide all IP's behind an interface?

I would say, "It depends". Some proxies use a license by username rather than IP address. If yours does use license by IP, you could NAT before hitting the firewall. I think you would have to NAT it before hitting your ASA and not on the DMZ interface.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here