ASA DMZ zone and Unix proxy server

teymur azimov · ‎10-22-2011

Hi.

i have router which all nat translation done at here. i have a asa and core sw.

192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.

int vlan 393

ip address 192.168.193.1 255.255.255.0

core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is

int vlan 8

ip address 172.30.30.2

at core sw at i have a default route to asa.

ip route 0.0.0.0 0.0.0.0 172.30.30.1

and asa site

route inside 192.168.193.0 255.255.255.0 172.30.30.2

all of them are ok.

i think that is ok.

at asa i have dmz zone which ip address:

interface Ethernet0/1

description connect to CoreSW

nameif inside

security-level 100

ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3

!

interface Ethernet0/2

description DMZ zone connect mail server

nameif DMZ

security-level 50

ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.

i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.

i wrote

static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0

and access-list

access-list from_dmz_to_in extended permit ip host 172.16.10.254 any

access-group from_dmz_to_in in interface DMZ

at this time what is up?

the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.

internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.

at this time my user connect internet when i wrote this. when i remove this they can not connect internet

but i do not want write anything at my user. how i solved this?

after that one problem occur.

when my server to do nslookup it can not work.

i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work

how i solve this issue?

as you see my access-list all of is open and i do

static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0

it is this wrong proxy connection???

musti change proxy server inside interface to other device or asa other interface?

thanks.

Jennifer Halim · ‎10-23-2011

There is 2 way the proxy server can work, ie: either transparent or explicit proxy.

From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.

The reason why transparent proxy does not work is because:

1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.

The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.

2) Also need to find out if the proxy server itself supports transparent proxy.

Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy?