07-25-2014 02:30 PM - edited 03-04-2019 11:26 PM
Good Evening,
I have been struggling with this configuration for two weeks, and would appreciate any help!
Hardware:
3750 Core Switch (with 12 fiber ports) (172.16.8.1 255.255.248.0) GW = ASA
ASA 5510 (172.16.6.52 255.255.248.0) int (212.11.173.108 255.255.255.248) ext
Smoothwall UTM (172.16.8.51) GW = core switch
8 vlans (ethernet)
1 vlan wireless
problem:
I would like to route all HTTP and HTTPS traffic entering the core switch to the proxy using PBR
Because the proxy is not physically connected to a port on the core switch (no ethernet ports) in would use source based (all vlans etc)
Traffic that passed the proxy (logged and filtered) is then passed back to the core
The core then needs to route traffic (from proxy) to the ASA
Why am I struggling??
Should I use WCCP from the core to the proxy instead??
Currently the proxy is working if I specify it in the browser - but it works without proxy as well, because the core is defaulting it to ASA
07-26-2014 04:36 AM
Hello.
In your topology it's not clear how your Smoothwall does transparent proxy (does it support transparent proxy on a single interface)?
If single interface for Smoothwall is fine, I would suggest to move all your security devices into dedicated subnet. In this case you will be able to apply PBR to all client L3 interfaces, keeping security subnet untouched.
PS: don't use deny statements in PBR ACLs on switches, this might impact performance.
07-28-2014 01:40 PM
You don't need PBR or anything. Just block outgoing HTTP and HTTPS on ASA except from the proxy IP. Clients will need proxy address specified in the browser.
We might as well find out complicated logical topology for transparent proxy but why? (-:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide