08-25-2010 04:48 PM - edited 03-11-2019 11:30 AM
I am trying to use my 5510 to treat traffic from my lan to our mpls and to the internet in 2 different ways. Traffic from lan to corporate resources should be unmolested, however the mpls is providing internet access via a proxy server that is managed by the ISP. I want all this traffic scanned but not blocked. I also want to be able to specify certain people that can use my public internet link which I want scanned and will be governed by a strict white\black list acl while undisturbing their path to the mpls corporate resources. I am trying to figure out the best way to do this. I know it will involve some combination route maps and static\default routes but I am not clear on the last 10% of how to accomplish this. I have a 6500 series switch behind the asa that I hope to accomplish the routing with. Any ideas \ guidance would be appreciated.
08-26-2010 04:31 AM
I am assuming that both corporate resources and Internet connection goes through the ISP MPLS network.
"Traffic from lan to corporate resources should be unscanned/blocked" --> check with your ISP whether they are scanning internal traffic ie: traffic between LAN to corporate resources, OR/ they are only scanning if traffic is leaving for the Internet.
" I want all this traffic scanned but not blocked." --> this really depends on what your ISP proxy server is doing, are they doing scanning only or scanning plus web filtering?
" I also want to be able to specify certain people that can use my public internet link which I want scanned and will be governed by a strict white\black list acl" --> again, this really depends on what is configured on your ISP proxy server.
"while undisturbing their path to the mpls corporate resources" --> how do you determine what proxy server to use? through PAC file, or transparently through your ISP proxy server. I would confirm with ISP whether they are doing proxy inspection for corparate resources traffic as well as internet traffic.
I don't think route-maps/static will work, if both corporate resources and Internet is through 1 MPLS link. The differentiation would be within the MPLS network itself, which I believe is managed by your ISP, right?
08-26-2010 02:59 PM
Halijenn,
Thanks so much for your input. I think you misunderstood slightly or I
missed something in my explanation. You are correct that internet (through
ISP proxy) and access to corporate resources is over the same mpls link.
They do not do any scanning on the non http traffic and the http traffic is
only scanned if the proxy pac is applied to the browser. They are using web
filtering and some scanning that is not stateful here.
Separate from this mpls link is a link that I purchased through a
different provider that is not going through the MPLS and has nothing to do
with it. What I'm really trying to accomplish is to 1.Add the capability to
scan\monitor and report what is destined for the MPLS(corporate or internet)
2. Provide access selectively to the public internet as an alternative way
to connect to the public. I do not have any proxy server setup on this
public access (that is partially what I am trying to figure out.. do I need
one etc...)
Is that more clear?
Thanks so much for your help,
On Thu, Aug 26, 2010 at 7:31 AM, halijenn <
08-29-2010 06:05 AM
1) I don't understand how you are going to extend the proxy/scanning functionality if your ISP is the one who manages the proxy functionality. Unless you have access to the proxy portal, I don't think you can have any extra functionality/feature.
2) Once you have configured the browser to use a PAC file for HTTP/HTTPS traffic, all web traffic will be routed towards that particular proxy server which will then use your MPLS link. If you have other public connection and you only want scanning to be done by your first ISP via MPLS then route the traffic back towards another public link, I don't think it is possible (even if it's possible, your first ISP wouldn't want to scan traffic which is not destined towards their network to go through their network just for scanning).
If you would like to scan web traffic destined for another public internet, then you would need to request the same type of service (proxy server) through your second ISP/public internet. Or alternatively, you can purchase/manage proxy server yourself (ie: for Cisco product: Ironport for an appliance service, or ScanSafe for cloud service).
08-30-2010 01:41 PM
In my attachment, I'm not sure if you can see it or not. It illustrates the separation of the MPLS and the public internet. This is actually a rather standard configuration that I know many companies are already implementing.
Traffic to the MPLS takes the default route, traffic to the mpls with the ISP proxy applied also goes through the default route.
Traffic that I want to use the public internet will have to be either directed via static route or route map.
I want to scan traffic into and out of my lan coming from both public internet and mpls regardless of what they are doing because I have no real insight into what they are doing. My company is part of a large conglomerate that has global rules that we must follow. I have no visibility into the traffic passing to the mpls other than netflow on the MPLS router interface that is facing my lan.
I am just trying to figure out how to scan all traffic that traverses the firewall and how to provide a secondary public internet access selectively.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide