Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2203
Views
15
Helpful
11
Replies

ASA 5520 with CSC SSM - scanning http traffic on port 8080

Go to solution
andy_4578
Level 1
Level 1

‎11-11-2010 08:09 AM - edited ‎03-11-2019 12:08 PM

We have an externally hosted proxy that will only accept http requests on port 8080, this is proving a problem with our recently purchased CSC SSM module as it seems when IE is configured with a proxy on port 8080 the CSC module wont scan/filter the traffic.

Does anyone know of a fix or workaround for this without changing the port ? as the external company have refused to accept traffic on port 80.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎11-12-2010 06:54 AM

Yes, that problem was resolved as part of these defects CSCsd17954 and CSCsf98493. So you are good to go.

Proxy server can be physically be present anywhere so long as the proxy requests from the browsers ride on port 80.

-KS

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎11-11-2010 09:46 AM

Can't think of a way...besides the one below. CSC can only scan tcp ports 80,25,110 and 21.

So, this is a public IP address that is configured on all the browsers to use port 8080? change that on the browser from 8080 to 80.

I wonder if this would work.

static (outside,inside) tcp proxy_ip 80 proxy_ip 8080

-KS

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-11-2010 02:23 PM

You can have your internal hosts connect to the proxy on port 80. ASA will pick it up and paqss it through the CSC.

Then you can PAT the destination port for 80 on the destination server to 8080 on the server (outside nat).

static (outside,inside) tcp 
(duplicating kusankar's suggestion here)
I hope it does the trick.
PK
0 Helpful

Go to solution
andy_4578
Level 1
Level 1
In response to Panos Kampanakis

‎11-12-2010 05:00 AM

I've tested that briefly this morning and yes it worked perfectly.

Just one thing, when i tested the solution, i changed the IE proxy on the pc i was using to an IP using port 80, but all the pc's around the site currently use a domain name for the proxy..... proxy.mksxxxxx.net

Will the ASA perform a DNS lookup and convert that to a public IP, or should i change everyones proxy server to be the public IP in internet explorer.

Thanks for your help.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andy_4578

‎11-12-2010 06:14 AM

To answer your question, the dns lookup will be to the same ip. The static statement just changes internal port 80 to 8080. So, just change the port the internal guys think they go to the proxy (they think 80, but the ASA will practically make it 8080) and it should be good.

Please mark this as answered for the benefit of others.

PK

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to andy_4578

‎11-12-2010 06:15 AM

The ASA will not do DNS lookup. It will use the IP that you configured on the static.

The browser resolves the name configured for proxy using DNS. If the names properly resolves to the public IP and will not change to the one that you configured on the static then, you can just use the name.  Make sure the port is 80 though on the browser.

Does the module scan traffic as expected? I am sure pages will load fine but are  blocked sites getting denied as expected? Where is the CSC module placed? On the inside or outside?

As always rate the posts that helped understand/resolve the probelm.

-KS

Go to solution
andy_4578
Level 1
Level 1
In response to Kureli Sankar

‎11-12-2010 06:25 AM

Ah good point i didnt test weather the CSC blocked sites, i only tested the port redirection worked.

I will try that now.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to andy_4578

‎11-12-2010 06:28 AM

Also, make sure you configure the CSC module to get active updates.

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc5.html#wpmkr1040973

The reason I asked is that for the CSC module to scan the traffic intiated by the proxy is that the Proxy server and the CSC mdoule are supposed to live behind the same interface.  Even if the CSC is on the inside and the proxy on the DMZ they do not support it.  I am not sure if this changed.

I am trying to verify now.

-KS

Go to solution
andy_4578
Level 1
Level 1
In response to Kureli Sankar

‎11-12-2010 06:44 AM

Just quickly tested it again to see if web pages are filtered by the CSC and got some odd behaviour, as follows....

With http URL blocking enabled and URL filtering disabled, i could browse correctly and the site i manually blocked displayed the trend notification correctly.

I then enabled URL filtering as well, and immediatley couldnt access any web pages at all.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to andy_4578

‎11-12-2010 06:56 AM

for URL filtering to work the CSC module should be able to go out to the internet on tcp port 80, 443 and udp 53 for dns resolution. Make sure the clock is set correctly on the ASA as the CSC takes the clock from the ASA.

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎11-12-2010 06:54 AM

Yes, that problem was resolved as part of these defects CSCsd17954 and CSCsf98493. So you are good to go.

Proxy server can be physically be present anywhere so long as the proxy requests from the browsers ride on port 80.

-KS

0 Helpful

Go to solution
andy_4578
Level 1
Level 1
In response to Kureli Sankar

‎11-12-2010 06:58 AM

Thank you so much for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card