11-05-2018 11:31 PM - edited 02-21-2020 08:26 AM
Hi All,
I have a network set up and running for some time where we have an internal network that access the internet via a squid proxy. This high side proxy has two NICs, one connected to the internal network and one connected to the inside interface of the ASA 5510 (V8.2 ADSM 6.2). The outside interface of the ASA is then connected to a low side proxy which in turn is connected to the internet. This all works fine and have been running find for 4 years. We now have a need to have a web server on the DMZ so that both our clients and ourselves can access. We would still require accessing the web server from the inside network via out high side proxy. I am just not sure what is needed for this to work. The following is our current config.
interface Ethernet0/0 description outside nameif outside security-level 0 ip address 10.89.30.1 255.255.255.0 ! interface Ethernet0/1 description dmz nameif dmz security-level 10 ip address 10.89.40.1 255.255.255.0 ! interface Ethernet0/3 description inside nameif inside security-level 100 ip address 10.89.20.12 255.255.255.0 ! access-list inside_in remark Known proxy port. access-list inside_in extended permit tcp any any eq 3128 access-list inside_in extended permit udp any any eq ntp ! Following two allows email access on outside facing interface of the high side proxy access-list inside_in extended permit tcp host 10.89.20.11 any eq smtp access-list inside_in extended permit tcp host 10.89.20.11 any eq 587 access-list inside_in extended deny tcp any any eq smtp access-list inside_in extended deny tcp any any eq 587 access-list inside_in extended permit ip any any access-group inside_in in interface inside ! route all outbound tracffic to asa facing interface of the low side proxy route outside 0.0.0.0 0.0.0.0 10.89.30.12 1 ! route all inbound traffic for the inside network to the asa facing interface of the high side proxy route inside 10.89.10.0 255.255.255.0 10.89.20.11 1
On the high side proxy, I have modified the squid.conf to allow direct access to 10.89.40.0/24 which should not direct it to the low side proxy.
TIA,
Vlad
11-07-2018 08:05 PM
Hi All,
All fixed. The ASA part ended up being fairly simply to do. The configuration of the two proxies were a pain but all done now.
Vlad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide