Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
3
Replies

N2H2 support on ASR 1001

dbrown
Level 1
Level 1

‎09-01-2011 07:38 PM - edited ‎03-11-2019 02:19 PM

A customer recently purchased an ASR 1001 under the impression it could replace their old 3662 router and ASA 5505.  The ASA is configured for their SmartFilter proxy server (N2H2), and I am having a heck of a time finding any documention on how to configure this.  I found the following, which proved to be little help:

To use SmartFilter with Cisco IOS firewall, install the SmartFilter componentsand use the IFP plugin (off-box). To configure the Cisco IOS for SmartFilter,use the Cisco document Firewall N2H2 Support located on the Cisco Web site,www.cisco.com.

Well, I found the Firewall N2H2 Support document (http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html), but the ip inspect command doesn't seem to work on the ASR. 

Is there any way to make this work or does the ASA have to stay in line?...

Labels:
0 Helpful
3 Replies 3

mirober2
Cisco Employee
Cisco Employee

‎09-02-2011 06:14 AM

Hello,

Unfortunately, the ASR doesn't currently support integrated URL filtering with SmartFilter/N2H2. It does support proxying with WCCP, but not the same off-box URL filtering that you would be used to with the ASA ('url-server' and 'filter' commands).

If this is a requirement for you, I would suggest working with your Cisco account team and asking them to file a product enhancement request to add this feature in a future release.

Hope that helps.

-Mike

0 Helpful

dbrown
Level 1
Level 1
In response to mirober2

‎09-02-2011 05:59 PM

It is SmartFilter 4.1.1, and the admin guide for that version makes no mention of WCCP support.  The SmartFilter itself is a bit foreign to me, so can you elaborate on your response?  You said we won't get the same off-box URL filtering we are used to with the ASA, but can we still get the functionality?  If it is a change in configuration commands, etc, I see no problem, but if you are telling me this hardware software combination won't work, then I guess I have a real problem on my hands.

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to dbrown

‎09-03-2011 04:58 AM

Hello,

Some URL filtering servers like Ironport WSA or Websense support WCCP and will act as a full proxy for the HTTP connections. In this way, the router can redirect HTTP traffic to the WCCP server, who can either proxy the connection and download/cache the content from the web server, or drop the packets so the client can't reach its intended destination.

This is different from the way basic URL filtering works because the URL filtering server doesn't see or proxy the entire connection. Rather, the ASA/router sends a message to the URL filtering server that contains the client's requested URL, and the filtering server responds back saying whether or not that connection should be permitted or denied.

The implementation depends a lot on the filtering vendor, but if SmartFilter doesn't support WCCP then unfortunately you're back where you started for the time being. As I mentioned, you could contact your Cisco account team and see if this functionality is on the ASR's roadmap, though I realize that won't help in the short term. Your best bet would probably be to put the ASA back in line and let it handle the URL filtering for now.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card