Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9797
Views
15
Helpful
11
Replies

ASA transparent proxy feature - MessageLabs Proxy Service

russ
Level 1
Level 1

‎05-27-2010 02:18 AM - edited ‎03-11-2019 10:51 AM

Hi

We have just installed a Cisco 5510 for one of our customers in place of a ClearPath firewall.  The problem is the old firewall had the capability of forwarding all Internal Web traffic to the MessageLabs external Web filtering service (proxy1.eu.webscanningservice.com) from the internal ISA server. The following commands on the ClearPath achieved this functionality:

1) cache_peer proxy1.eu.webscanningservice.com parent 3128 0 no-query

2) iptables -t nat -I LAN_dnat -p tcp --dport www -s 192.168.1.10 -j REDIRECT --to-port 8080

FYI - 1.10 is the internal ISA server.

My understanding of how this works is that the old firewall had transparent proxy capabilty and redirects all Internal Web traffic to MessageLabs on port 3128. This means port 80 can be blocked on the firewall.

Can anyone out there confirm whether or not the ASA has the same capabilty or suggest a workaround?

Thanks!

Labels:
0 Helpful
11 Replies 11

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-27-2010 03:00 AM

Hi,

The ASA can be configured to redirect HTTP, HTTPS and FTP traffic to an external URL filtering server.

This URL server should be either a websense or smart filter server.

Check this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_filter.html#wp1045692

Hope it helps.

Federico.

russ
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-27-2010 03:13 AM

Hi Federico

Thanks for the reply,

I think configuring Websense server or Smart Filter server is not the same as a transparent proxy feature, also you have to specify an IP address rather than a URL for the servers.

The ISA server has integrated Websense to filter URLs which the Clearpath FW then redirects to MessageLabs for malicious content filtering.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to russ

‎05-27-2010 03:19 AM

You're right.

However the ASA can make use of a third-party URL-filtering server to accomplish this.

The other solutions are using regular expressions:

https://supportforums.cisco.com/docs/DOC-1268

Or having a CSC module on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/csc.html

Federico.

russ
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-27-2010 03:32 AM

Hi Federico

Thanks for the info, but the CSC only works with Trend and not MessageLabs, it would also be additional cost and using regular expressions is not a viable option. So it seems the ASA can not provide the same capability as some small cheap vendor firewall?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to russ

‎05-27-2010 03:44 AM

Russ,

I'm sure the ASA does a lot of advanced functions not performed by cheap firewalls.

But you're correct, the ASA is not a URL filtering device. It can redirect URLs to a URL-filtering server or can use regex or CSC, but not in the same way you're describing.

Federico.

0 Helpful

russ
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-27-2010 03:52 AM

Hi Federico

I agree, the customer is really happy with the ASA features, GUI etc its just a shame it can't support such a simple feature which could be a "show stopper". They were also planning to install a second ASA in place of the ClearPath at another site, which also needs to have this transparent proxy feature. Maybe its possible to request this feature from Cisco?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to russ

‎05-27-2010 04:00 AM

Sure. I'll agree 100% that's something that can be included in the ASAs in a future release.

I'm not aware as to why the ASA won't support it itself though.... perhaps somebody from Cisco can let us know...

I'll suggest to let your account manager know or open a TAC case.

Federico.

russ
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-27-2010 04:08 AM

Yeah, might try the AM option to request such a feature.

Thanks for all of your help with this.

Russ.

0 Helpful

adrian.lischka
Level 1
Level 1
In response to russ

‎06-30-2010 12:10 AM

Hi together,

but i think you can configure the asa to forward http request to a proxy with the wccp feature.

But i do not have the possiblility at the moment to test it.

Regards,

Adrian

0 Helpful

russ
Level 1
Level 1
In response to adrian.lischka

‎06-30-2010 01:11 AM

Hi Adrian

According to the documentation, the proxy server must be located on the inside of the ASA. In this case the Messagelabs proxy is external to the ASA and also doesn't support WCCP.

Messagelabs say users that have ASA can install a ML client agent on the ISA server or use proxy-chaining. Client machines can also use the proxy setting in their browsers to point to Messagelabs, however this of course requires additional work and time for the customer to implement, which was not necessary with their old firewall.

0 Helpful

adrian.lischka
Level 1
Level 1
In response to russ

‎07-01-2010 12:16 AM

Hi Russ,

your right, I read this after I have posted my comment

Regards,

Adrian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card