09-19-2008 01:25 PM - edited 03-11-2019 06:46 AM
I am working with a web filtering service company that provides web filtering as a service in a cloud. I can forward web traffic to them via the normal proxy setting in my browser, but I want to be able to do it on firewall level as well, in case a user did not get the browser policy update.
Is there a way to forward all web traffic (http, https) coming from behind the firewall (nat users) to an outside address?
I tried the command:
static (inside,outside) tcp interface www <outside ip> www netmask 255.255.255.255
...but that did not work.
Any help would be appreciated.
09-22-2008 12:39 AM
You want the filter command:
url-server (outside) host
filter url 80 0 0 0 0
filter https 443 0 0 0 0
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1761451
HTH
09-23-2008 06:59 AM
Will this work with PIX version 6.3 as well?
09-23-2008 07:17 AM
I think he is wrong. I assume this is what
you're trying to accomplish:
1- There is web proxy like BlueCoat or Squid
on the Internet that you want Users on your
network to connect it. Users on your network
get the setting through WPAD or something like
that.
2- The BlueCoat or Squid Proxy will intercept
Web traffics on your network, check URL and
content filtering, Antivirus, etc. If
everything is fine, users on your network can
access the site.
Are my assumption correct?
The example he gave you is that the Pix will
do the URL filtering with a 3rd parties apps
like Websense or N2H2. It can not do what
you described.
What you're trying to accomplish can be done
with WPAD.
09-23-2008 07:19 AM
I am trying to just redirect all http and https traffic to a proxy that is outside my network (the provider). Once it gets to the provider, it will keep on going out through them and the response will come back through them and to me.
09-23-2008 07:36 AM
In that case, it is very simple:
no static (inside,outside) tcp interface www
nat (inside) 1 0 0
global (outside) 1 interface
access-list Internal permit icmp any any log
access-list Internal permit tcp any host Proxy_Server eq 3128 log
access-list Internal deny ip any any log
access-list External permit icmp any any log
access-list External deny any any log
access-group Internal in interface inside
access-group External in interface outside
The question is how does the users' browser
get update? WPAD or what?
09-23-2008 09:37 AM
I not really sure what you mean when you say "how does the users' browser get update"
And I am not sure what WPAD is either.
09-23-2008 11:05 AM
"in case a user did not get the browser policy update."
How does users' browser get policy update such
as proxy settings?
09-23-2008 01:14 PM
I can push proxy setting changes down via AD Group Policies, but I don't want to depend on that. For instance, if a rouge PC plugs into our network, and they are not able to get the browser proxy policy via AD (since they are not on our domain), I would like them to be proxied via the Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide