Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
6
Replies

Newbie Needs Help Routing Problem Continued...

Go to solution
joseph
Level 1
Level 1

‎01-07-2010 06:02 AM - edited ‎03-04-2019 07:08 AM

First I would like to thank everyone who helped me move along to this point.  Rather than continue with my confusing original discussion I decided it would be much cleaner to start a new one since the problem has changed considerably.

The Goal:

That any wireless nodes on the 10.1.0.0 network browse through the 159.xxx.xxx.20 server transparently, without the need to set the browser's connection properities to use a Proxy server..

The situation:

Wireless Linksys WAP54GP connected to a Cisco ASA 5510 VLan 102 Name wireless using Private IP network 10.1.0.0

I need all traffic from the 10.1.0.0 network sent to IP 159.xxx.xxx.20.  The 159.xxx.xxx.0 network is also connected to the Cisco 5510 ASA.

It works... sort of:

If I bring up a browser on a wireless node (eg:10.1.0.21) and change the browser's connection settings to use a Proxy Server (eg: 159.xxx.xxx.20) with no port, I get the desired results.

Thanks for reviewing my post.

--Joe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joseph

‎01-07-2010 11:07 AM 

joseph@sec.state.vt.us
Jon,
Is there a way to tell the ASA that for 10.1.0.0 and only that network the Internet is 159.xxx.xxx.20?
Joe Leclair
IT Team
Vermont Secretary of State
(802)828-2491

Joe

No, because fundamentally you are asking the same question

You could do policy NAT for the 10.1.0.0 network but this would mean setting up a NAT statement for every internet public address which is completely unrealistic.

I'm sorry but there is no way to do this, or at least a way that i know of. You may want to cross post this onto the firewalling forums, i promise i won't get involved with the thread on that forum.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-07-2010 08:30 AM 

joseph@sec.state.vt.us
First I would like to thank everyone who helped me move along to this point.  Rather than continue with my confusing original discussion I decided it would be much cleaner to start a new one since the problem has changed considerably. 
The Goal:
That any wireless nodes on the 10.1.0.0 network browse through the 159.xxx.xxx.20 server transparently, without the need to set the browser's connection properities to use a Proxy server..
The situation:
Wireless Linksys WAP54GP connected to a Cisco ASA 5510 VLan 102 Name wireless using Private IP network 10.1.0.0
I need all traffic from the 10.1.0.0 network sent to IP 159.xxx.xxx.20.  The 159.xxx.xxx.0 network is also connected to the Cisco 5510 ASA.
It works... sort of:
If I bring up a browser on a wireless node (eg:10.1.0.21) and change the browser's connection settings to use a Proxy Server (eg: 159.xxx.xxx.20) with no port, I get the desired results.
Thanks for reviewing my post.
--Joe

Joe

Apologies for not getting back to you on this sooner.

This would be easy if it was a router rather than an ASA device. On a router to send all traffic from X to destination Y you would use PBR (Policy Based Routing). Unfortunately, this is not supported on the ASA.

The other option would be to look at WCCP (Web Cache Communications Protocol) but as far as i know the clients and the cache engine must be on the same subnet with the ASA.

In short, sorry to be the bearer of bad news but you can't do this with an ASA. I'm afraid you are going to have to set up the clients browser settings.

Jon

0 Helpful

Go to solution
joseph
Level 1
Level 1
In response to Jon Marshall

‎01-07-2010 10:05 AM

Jon,

I am a bit confused with this. What is the browser doing when I set Use a Proxy Server that the ASA cannot do? So there is no way to tell the ASA that when it sees a tcp packet from 10.1.0.0 network to send the packet to 159.xxx.xxx.20?

I cannot set up the browsers to use the Proxy because the wireless users will be public folks that use our wireless connection.

Additional comments are welcome.

Joe Leclair

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joseph

‎01-07-2010 10:14 AM 

joseph@sec.state.vt.us
Jon,
I am a bit confused with this.  What is the browser doing when I set Use a Proxy Server that the ASA cannot do?  So there is no way to tell the ASA that when it sees a tcp packet from 10.1.0.0 network to send the packet to 159.xxx.xxx.20?
I cannot set up the browsers to use the Proxy because the wireless users will be public folks that use our wireless connection.
Additional comments are welcome.
Joe Leclair

Joe

If you configure the browser to use 159.x.x.20 then the client simply needs to send a packet to 159.x.x.20. The ASA in this instance simply forwards the packet on to the proxy server, it doesn't need to do anything else.

If however you configure the client not to use this address then the client tries to go direct to the internet address which could be any public IP address. Now the ASA cannot simply forward the packet on because you don't want that. You want the ASA to look at the source and destination IP addresses and recognize that it needs to be sent to 159.x.x.20 instead of going direct to the internet. The ASA does not have the code to do this. As i said previously, what is needed is PBR but the ASA doesn't support this.

It may seem like a simple thing to want to do and with a router it really is but Cisco firewalls don't have that feature.

Jon

0 Helpful

Go to solution
joseph
Level 1
Level 1
In response to Jon Marshall

‎01-07-2010 10:55 AM

Jon,

Is there a way to tell the ASA that for 10.1.0.0 and only that network the Internet is 159.xxx.xxx.20?

Joe Leclair

IT Team

Vermont Secretary of State

(802)828-2491

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joseph

‎01-07-2010 11:07 AM 

joseph@sec.state.vt.us
Jon,
Is there a way to tell the ASA that for 10.1.0.0 and only that network the Internet is 159.xxx.xxx.20?
Joe Leclair
IT Team
Vermont Secretary of State
(802)828-2491

Joe

No, because fundamentally you are asking the same question

You could do policy NAT for the 10.1.0.0 network but this would mean setting up a NAT statement for every internet public address which is completely unrealistic.

I'm sorry but there is no way to do this, or at least a way that i know of. You may want to cross post this onto the firewalling forums, i promise i won't get involved with the thread on that forum.

Jon

0 Helpful

Go to solution
DustinBAE
Level 1
Level 1
In response to Jon Marshall

‎10-19-2010 07:31 AM

Are you able to create some kind of site to site vpn tunnel from the ASA towards the gateway that you want the wireless users to use?  If you can, then you might be able to use an ACL to classify the traffic and send it through the tunnel towards the gateway.  Kind of a funny work around when you could get a cheap router, do policy based routing, and let your router handle the traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card