Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3289
Views
0
Helpful
5
Replies

Redirecting http traffic to the proxy server

Go to solution
rajath.poovanna
Level 1
Level 1

‎03-18-2015 09:45 PM - edited ‎03-11-2019 10:39 PM

Hi,

We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup

Traffic redirection

Requirement:

We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.

Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rajath.poovanna

‎04-01-2015 04:13 AM

Hi,

To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST

Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-

(DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080

Also , ASA now supports Policy Based routing from ASA 9.4.1 :)

Thanks and Regards,

Vibhor Amrodia

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Adeolu Owokade
Level 1
Level 1

‎03-20-2015 10:16 PM

Hi Rajath,

Is the Bluecoat proxy WCCP-enabled? If yes, then maybe this Cisco guide will help you: http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html

0 Helpful

Go to solution
rajath.poovanna
Level 1
Level 1
In response to Adeolu Owokade

‎03-21-2015 12:46 AM

Hi Adeolu,
Is there any other way to accomplish the requirement without WCCP.
best,
Rajath
0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4
In response to rajath.poovanna

‎03-21-2015 09:38 AM

Have you thought about "Destination NAT" (Twice NAT) as a static NAT rule. It may work for you.

0 Helpful

Go to solution
rajath.poovanna
Level 1
Level 1
In response to Andre Neethling

‎03-31-2015 09:00 PM

I did try creating the below NAT rule, doing so bluecoat will only see the packets from DMZ-STAFFNET interface. Our requirement was to see the original source IP.
(DMZ-STAFFNET) to (bluecoat) source dynamic DMZ-STAFFNET interface   destination static internet proxy-server service original-http proxy-8080
So we switched to WCCP and everything is working fine for HTTP and HTTPS traffic via WCCP.
0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rajath.poovanna

‎04-01-2015 04:13 AM

Hi,

To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST

Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-

(DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080

Also , ASA now supports Policy Based routing from ASA 9.4.1 :)

Thanks and Regards,

Vibhor Amrodia

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card