Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
1
Replies

Possible to hide all IP's behind an interface?

colmcorcoran
Level 1
Level 1

‎12-18-2012 06:03 AM - edited ‎03-11-2019 05:38 PM

Hi all,

We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. 

However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc.

We  could deploy a proxy server in the wireless DMZ to make all the  wireless devices appear to web filter as a single IP, and apply a single  policy,

but that brings it's own problems.

My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?

I know this means we can only apply one web filter policy but this is an acceptable solution.

Thanks

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎12-18-2012 07:16 AM

I would say, "It depends". Some proxies use a license by username rather than IP address. If yours does use license by IP, you could NAT before hitting the firewall. I think you would have to NAT it before hitting your ASA and not on the DMZ interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card