09-01-2011 07:38 PM - edited 03-11-2019 02:19 PM
A customer recently purchased an ASR 1001 under the impression it could replace their old 3662 router and ASA 5505. The ASA is configured for their SmartFilter proxy server (N2H2), and I am having a heck of a time finding any documention on how to configure this. I found the following, which proved to be little help:
To use SmartFilter with Cisco IOS firewall, install the SmartFilter componentsand use the IFP plugin (off-box). To configure the Cisco IOS for SmartFilter,use the Cisco document Firewall N2H2 Support located on the Cisco Web site,www.cisco.com.
Well, I found the Firewall N2H2 Support document (http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html), but the ip inspect command doesn't seem to work on the ASR.
Is there any way to make this work or does the ASA have to stay in line?...
09-02-2011 06:14 AM
Hello,
Unfortunately, the ASR doesn't currently support integrated URL filtering with SmartFilter/N2H2. It does support proxying with WCCP, but not the same off-box URL filtering that you would be used to with the ASA ('url-server' and 'filter' commands).
If this is a requirement for you, I would suggest working with your Cisco account team and asking them to file a product enhancement request to add this feature in a future release.
Hope that helps.
-Mike
09-02-2011 05:59 PM
It is SmartFilter 4.1.1, and the admin guide for that version makes no mention of WCCP support. The SmartFilter itself is a bit foreign to me, so can you elaborate on your response? You said we won't get the same off-box URL filtering we are used to with the ASA, but can we still get the functionality? If it is a change in configuration commands, etc, I see no problem, but if you are telling me this hardware software combination won't work, then I guess I have a real problem on my hands.
09-03-2011 04:58 AM
Hello,
Some URL filtering servers like Ironport WSA or Websense support WCCP and will act as a full proxy for the HTTP connections. In this way, the router can redirect HTTP traffic to the WCCP server, who can either proxy the connection and download/cache the content from the web server, or drop the packets so the client can't reach its intended destination.
This is different from the way basic URL filtering works because the URL filtering server doesn't see or proxy the entire connection. Rather, the ASA/router sends a message to the URL filtering server that contains the client's requested URL, and the filtering server responds back saying whether or not that connection should be permitted or denied.
The implementation depends a lot on the filtering vendor, but if SmartFilter doesn't support WCCP then unfortunately you're back where you started for the time being. As I mentioned, you could contact your Cisco account team and see if this functionality is on the ASR's roadmap, though I realize that won't help in the short term. Your best bet would probably be to put the ASA back in line and let it handle the URL filtering for now.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide