cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
0
Helpful
3
Replies

N2H2 support on ASR 1001

dbrown
Beginner
Beginner

A customer recently purchased an ASR 1001 under the impression it could replace their old 3662 router and ASA 5505.  The ASA is configured for their SmartFilter proxy server (N2H2), and I am having a heck of a time finding any documention on how to configure this.  I found the following, which proved to be little help:

To use SmartFilter with Cisco IOS firewall, install the SmartFilter componentsand use the IFP plugin (off-box). To configure the Cisco IOS for SmartFilter,use the Cisco document Firewall N2H2 Support located on the Cisco Web site,www.cisco.com.

Well, I found the Firewall N2H2 Support document (http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html), but the ip inspect command doesn't seem to work on the ASR. 

Is there any way to make this work or does the ASA have to stay in line?...

3 Replies 3

mirober2
Cisco Employee
Cisco Employee

Hello,

Unfortunately, the ASR doesn't currently support integrated URL filtering with SmartFilter/N2H2. It does support proxying with WCCP, but not the same off-box URL filtering that you would be used to with the ASA ('url-server' and 'filter' commands).

If this is a requirement for you, I would suggest working with your Cisco account team and asking them to file a product enhancement request to add this feature in a future release.

Hope that helps.

-Mike

It is SmartFilter 4.1.1, and the admin guide for that version makes no mention of WCCP support.  The SmartFilter itself is a bit foreign to me, so can you elaborate on your response?  You said we won't get the same off-box URL filtering we are used to with the ASA, but can we still get the functionality?  If it is a change in configuration commands, etc, I see no problem, but if you are telling me this hardware software combination won't work, then I guess I have a real problem on my hands.

Hello,

Some URL filtering servers like Ironport WSA or Websense support WCCP and will act as a full proxy for the HTTP connections. In this way, the router can redirect HTTP traffic to the WCCP server, who can either proxy the connection and download/cache the content from the web server, or drop the packets so the client can't reach its intended destination.

This is different from the way basic URL filtering works because the URL filtering server doesn't see or proxy the entire connection. Rather, the ASA/router sends a message to the URL filtering server that contains the client's requested URL, and the filtering server responds back saying whether or not that connection should be permitted or denied.

The implementation depends a lot on the filtering vendor, but if SmartFilter doesn't support WCCP then unfortunately you're back where you started for the time being. As I mentioned, you could contact your Cisco account team and see if this functionality is on the ASR's roadmap, though I realize that won't help in the short term. Your best bet would probably be to put the ASA back in line and let it handle the URL filtering for now.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: