08-22-2013 07:51 PM - edited 03-11-2019 07:29 PM
Hi,
I have an ASA 5505 that has 2 route (1 route connecting to MPLS VPN to HK branch office and 1 route connecting to Internet service provider). As you know, ISP in China blocking many web sites (such as facebook, youtube or etc.). So , I would like to route the traffic when the user in China office would like to browse facebook.com or youtube.com to HK ASA and egress to the internet by NAT. However, all other traffic remain to route to ISP in China, so that the Internet traffic in HK office will not be overload and the user in China can browse facebook.com or youtube.com.
I have researched a topic of regular expression with Modular Policy Framework (MPF). I expected that if the ASA can match the traffic, I can set next hop to HK office's ASA. However, this feature does not support https so that my expectation failed. Because the login page and sometime these web site using https for encryption. I hope URL based routing work on both http and https can work.
Do anyone have any solutions to resolve this situation? Please kindly provide it to me. I would appreiciate it if you could also provide configuration example with commands. I look forward to hearing from anyone soon. Thank you.
Regards,
Lapson Wong
Solved! Go to Solution.
08-23-2013 01:43 AM
I'd rather prefer a proxy solution with automatic proxy configuration (PAC), where specified URLs go to the proxy in HK, everything else bypass proxy.
Michael
Please rate all helpful posts
08-23-2013 03:31 AM
What you are trying to do is policy-based routing which is not supported on the ASA. MPF is used only for inspection and QoS type serverices.
If using a proxy is not an option, you would need to put in a router that would send the desired traffic over the WAN network. another option, though I would not recommend it, is to find all the IPs of facebook, youtube, etc. and add static routes on the ASA pointing out the WAN interface.
08-23-2013 01:43 AM
I'd rather prefer a proxy solution with automatic proxy configuration (PAC), where specified URLs go to the proxy in HK, everything else bypass proxy.
Michael
Please rate all helpful posts
08-23-2013 03:31 AM
What you are trying to do is policy-based routing which is not supported on the ASA. MPF is used only for inspection and QoS type serverices.
If using a proxy is not an option, you would need to put in a router that would send the desired traffic over the WAN network. another option, though I would not recommend it, is to find all the IPs of facebook, youtube, etc. and add static routes on the ASA pointing out the WAN interface.
08-24-2013 04:20 AM
Thank you for your reply. I throught ASA can do the policy based routing based on URL. Now, I understand that I misunderstand something. I hope ASA can do this in the future.
Ok, PAC is a good idear. I prefer to use proxy in this situation. Thx.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: