internet access via proxy as well as ASA

dabur10376004 · ‎09-20-2016

Hi,

our one of the location having connectivity at Dubai end as below:

Internet Leased Line 1:1 8 Mbps -------> internet cisco router-->cisco ASA--->cisco L3 Switch----> users

Internet Broad Band shared 1:8 Link 100 Mbps------->internet Broad Band router-->cisco L3 Switch----> Microsoft Proxy Server

we have configured site to site VPN on ASA from this site to HO India Location. Dubai end users are accessing internet through proxy server via another internet broad band link. this internet broad band is in vlan 2 & ASA & all users are vlan 1. presently users are accessing the internet & it is working fine. network diagram is attached.

now recently we have migrate the emails system from in-house to O365 cloud. now I am observing that internet browsing is getting slow as well as emails are getting slow response. we observed that internet broad band link is fully over utilizing. we can not upgrade the bandwidth of broad band link as this is limitation at ISP end.

can we do like this----

1. when user access O365 mail then its traffic will go via proxy ---->ASA ---> via internet link 8 Mbps.

2. when user access internet then its traffic will go via proxy ---->ASA ---> internet broad band router ----> Internet Broad band shared link 100 Mbps.

so that email load will shift on 8 Mbps link & rest of the internet load will go via broad band link as earlier users are accessing.

Is it feasible, if yes, please guide us that how to do it.

Georg Pauwen · ‎09-20-2016

Hello,

you will need to apply policy based routing that matches POP3 and SMTP traffic, which would look like this:

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

Then create a route map:

route-map INTERNET

match ip address 101

set ip next-hop x.x.x.x

where x.x.x.x is the IP address of the interface connecting to your Internet broadband router.

Then apply the policy map to the relevant interface:

interface vlan X

ip policy route-map INTERNET

Unfortunately I cannot open your attachment, if possible, can you convert it to a GIF ?

dabur10376004 · ‎09-26-2016

hi,

on L3 switch there is two vlan,

vlan 1-----10.120.1.0/24

vlan 2--- 192.168.20.0/24

ASA is connected vlan 1, users gateway is L3 switch & default route on L3 switch towards ASA. on ASA site to site vpn is connected. network diagram is attached.

Proxy is in Vlan2 & its gateway is Broadband router.

if users access internet or o365 mail its traffic goes via proxy--> internet broad band---> internet

now I want to do like this.

if user access internet (yahoo, google etc) then its traffic go via internet broad band

if users will access o365 mail , then its traffic will go via L3 switch--> ASA---> internet 8 Mb Link

for achieving this as per my understanding my approach is like this:

1. proxy should be move on vlan 1 & nat on ASA with new public ip address.

2. when user access internet then traffic goes on proxy--> L3 switch--->ASA & on ASA some route map mechanism so that traffic could diverted toward broadband router.

3. when users access o365 mail, then its traffic should go to proxy-->L3 switch--->ASA ----internet. it will work.

we are facing challenges on 2nd points. please help us.

if my approach is wrong then please tell us right way.

Martin Carr · ‎09-27-2016

What you would have to do is specify the IP range of your ESP as the destination in the ACL, rather than the protocols, with https as the protocol, if you just wanted secure web traffic routed via the connection.

I doubt that is the cause of the issue, that's more likely due to the E-mails themselves (especially outgoing if you have DSL), the solution for this has been detailed.

Martin