PBR from 3750 core switch to my Smoothwall Proxy

gouwsj001 · ‎07-25-2014

Good Evening,

I have been struggling with this configuration for two weeks, and would appreciate any help!

Hardware:

3750 Core Switch (with 12 fiber ports) (172.16.8.1 255.255.248.0) GW = ASA

ASA 5510 (172.16.6.52 255.255.248.0) int (212.11.173.108 255.255.255.248) ext

Smoothwall UTM (172.16.8.51) GW = core switch

8 vlans (ethernet)

1 vlan wireless

problem:

I would like to route all HTTP and HTTPS traffic entering the core switch to the proxy using PBR

Because the proxy is not physically connected to a port on the core switch (no ethernet ports) in would use source based (all vlans etc)

Traffic that passed the proxy (logged and filtered) is then passed back to the core

The core then needs to route traffic (from proxy) to the ASA

Why am I struggling??

Should I use WCCP from the core to the proxy instead??

Currently the proxy is working if I specify it in the browser - but it works without proxy as well, because the core is defaulting it to ASA

Vasilii Mikhailovskii · ‎07-26-2014

Hello.

In your topology it's not clear how your Smoothwall does transparent proxy (does it support transparent proxy on a single interface)?

If single interface for Smoothwall is fine, I would suggest to move all your security devices into dedicated subnet. In this case you will be able to apply PBR to all client L3 interfaces, keeping security subnet untouched.

PS: don't use deny statements in PBR ACLs on switches, this might impact performance.

Peter Koltl · ‎07-28-2014

You don't need PBR or anything. Just block outgoing HTTP and HTTPS on ASA except from the proxy IP. Clients will need proxy address specified in the browser.

We might as well find out complicated logical topology for transparent proxy but why? (-: