Hi Clark,

Sending the same traffic twice will be unnecessary. 

Going by the norm, you should place the webfilter inline unless it does not have that capability, so that the traffic is sent and inspected once through ASA and IPS. 

Ideally we would want that whatever traffic is denied at the webfilter level should not even go through ASA once. So, any blocked traffic should be blocked as close to source as possible by placing the webfilter internal to the ASA. 

Now, there can be a workaround with your existing design. For that we need to know if the webfilter lets the traffic pass as it is or NAT using its own ip address. So, for IPS inspection, we can send the traffic using the source ip address and creating a policy(mpf). We can exempt either the real machines or the webfilter. Other than that, I would prefer having the webfilter inline. 

HTH

AJ

Dear linking,

As it was planned before for placing the webfilter internal to ASA as close to the source but later it was changed to place it as mentioned above,

so I want to know is it the traffic will be send twice ??? to the SFR

Now, there can be a workaround with your existing design. For that we need to know if the webfilter lets the traffic pass as it is or NAT using its own ip address.

there is no NAT it will passed as it is

we can send the traffic using the source ip address and creating a policy(mpf). We can exempt either the real machines or the webfilter.

I have permit ip any any in the SFR access-list so that every traffic is sent to the SFR. Now the traffic is not natted from the webfilter so how I can restrict traffic internal host not  to route twice to the sfr.

Regards

Since the traffic after getting filtered would be coming from web filter_OUT interace, it would be then better to have interface specific policy rather than global policy. Ideally we have a global policy and we apply SFR policy there. But in your case, you can have a interface specific policy so that traffic coming from lan to webfilter is not inspected. So, that would take care of the issue of traffic getting inspected twice. 

I have few more concerns:

1. since the lan subnet is behind lan interface, if the traffic comes to ASA from web filter_OUT interface, it might get dropped.

2. even if we manage to send the outbound traffic, the return traffic might again get dropped due to same reasons. 

Please test and see what challenges you face. 

Regards,

AJ

Dear 

the 2 concerns u have raised r really killing me from day1.

Just want to know the packet which will go out from the Asa webfilter in interface when it will receive from webfilter out interface will not be maintained by Asa,,Asa will treat as a differ t packet??? Becz here we r not changing the IP add of the source.

Pls get me answer for ur concerns Becz I'm going to do the change.

Hi Clark,

Packet get initiated by lan user -> goes from webfilter-in interface to webfilter.. This part is fine. Once the webfilter sends the packet through out interface back to ASA, that is when the ASA might think of this as spoof since the source is actually located behind lan interface. Also, even if this traffic comes to ASA, the return traffic will not be handled correctly since it might go to lan not come back the same way.

ASA is not supposed to like that either. My suggestion - make a topology wherein the webfilter is inline so that the design becomes as below:

lan user -> webfilter -> (inside) ASA (outside0)-- internet handoff

This will make things simpler in a longer run.

If you still wish to use current setup, find a way to NAT the lan users when they are filtered through webfilter so that ASA does not take that as spoof and return traffic follows the same path.

HTH

AJ

Dear Linking,

Sorry for the delay as I was out of the country, If I NAT on the webfilter than there will be no issue but in this case I want to avoid to send traffic twice to the SFR module.

thanks