Solved: Need help with ASA config to set up proxy on DMZ

aremirez · ‎11-15-2012

Hello guys,

I have a problem, I´m trying to configure an ASA as shown in the attached scenario.

I need that all inside users to go to the proxy server on DMZ and from there they will go out to the internet.

Right now i have:

INSIDE INTERFACE

Access-list inside permit ip 10.1.1.0 255.255.255.0 host 11.1.1.6

DMZ INTERFACE

Access-list dmz permit ip host 11.1.1.6 any

OUTSIDE INTERFACE

Access-list outside permit ip any host <proxy server public ip>

REGARDING NAT I HAVE THE FOLLOWING:

Static (dmz,outside) <proxy server public> 11.1.1.6 netmask 255.255.255.255

My question would be if it would work with this configuration? Do i need to apply Nat on my inside hosts? Would all my inside hosts when reached the ASA will be send to the proxy and then through the proxy it will send them back to the ASA and then to the internet??

Thanks,

Tony

Jennifer Halim · ‎11-17-2012

Correct, you would need to add static NAT to itself from inside to dmz.

For the access-list on the inside, once you know what port the inside host should be pointing to the proxy server for, then you can even tie it down to the specific port. Normally for proxy server, by default it uses port 8080, so you can configure as follows:

access-list inside permit tcp 10.1.1.0 255.255.255.0 host 11.1.1.6 eq 8080

Then also allow other services that the inside hosts needs (eg: dns, mail, ftp, etc).

With your configuration, yes, it will allow the inside host to access the proxy server, and proxy server will also have access to the internet.

View solution in original post

Jennifer Halim · ‎11-16-2012

No, the ASA will not redirect the web traffic automatically to your proxy server.

What proxy server are you using on the DMZ?

You would need to explicitly configure the DMZ proxy server as the proxy server on your inside host.

Plus, you would also need to configure the following static NAT statement to allow the traffic:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

aremirez · ‎11-16-2012

Hello Jennifer,

Thanks for your response. So basically i will need to add a static to allow trafic from inside to dmz without being natted. I don't know what proxy server it will be, the server would be managed by another party, but in my inside hosts i will need to set all the parameters to point to the proxy, once this done trafic will go out through the proxy server to the dmz interface of the ASA and then to the outside world, is that correct?

Do you think this configuration would work???

Outside = security 0

Inside = security 100

DMZ = security 50

static (dmz,outside) 11.1.1.6 netmask 255.255.255.255

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list inside permit tcp 10.1.1.0 255.255.255.0 any

access-list dmz permit ip host 11.1.1.6 any

access-group inside in interface inside

access-group dmz in interface dmz

Basically with this configuration my web request will go to the proxy on the DMZ and then from there it will go out to the internet??

Thanks

Jennifer Halim · ‎11-17-2012

Correct, you would need to add static NAT to itself from inside to dmz.

For the access-list on the inside, once you know what port the inside host should be pointing to the proxy server for, then you can even tie it down to the specific port. Normally for proxy server, by default it uses port 8080, so you can configure as follows:

access-list inside permit tcp 10.1.1.0 255.255.255.0 host 11.1.1.6 eq 8080

Then also allow other services that the inside hosts needs (eg: dns, mail, ftp, etc).

With your configuration, yes, it will allow the inside host to access the proxy server, and proxy server will also have access to the internet.