cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
4
Replies

can pix 501 send traffic out the vpn to a proxy server??

nri-it
Level 1
Level 1

Hi All,

I am not sure if this has been asked and answered here before, if it has....sorry.  This is my first post here. Please be nice to the newbie.

I currently have 90 remote locations that have PIX501's. They are all running 6.3 on them.  All of these locations are creating an IPSEC VPN to my ASA 5520 (8.4) at the data center.  Web access at the remote locations is currently being handled with ACL thru split tunnels. This is getting increasingly not fun as I have to reach out and touch them one at a time whenever I have to allow more access to the net.

A little simplified setup data;

The X changes per location

Remote PIX 501 10.9.X.1

Remote PC 10.9.X.26

Gateway is the PIX

DNS is in the Data Center

Data Center

ASA 5520 10.9.1.X

Cisco Router 10.9.1.X-Default gateway for the data center and Corp office

McAfee Web Gateway 10.9.1.X Proxy and web filter

DNS Servers(2) 10.9.1.X

I would like to keep my split tunnel (if possible) for ports 443 and 21.  I allow access to "any" on those ports and have no plans to change it.

Can I send port 80 down the VPN tunnel to the Proxy/Web Filter and then return the results to the Remote Client.

I am by no means a Cisco Guru but after 20 years of IT, I have managed to learn a few things.  Like asking when you don't know....

Any help on this is greatly appreciated,

Brian

4 Replies 4

Brian,

If you manually set the IP of the proxy server on the client's browser PC to use the Web filter on the central site should work.
Assuming the split-tunneling ACL allows communication to the proxy server via the tunnel.
What happens is the client PC asks the proxy server and based on the response either allow/disallow local internet access.
The problem obviously is to manually set the proxy IP on each client's PC.

Another alternative is if using Websense or SmartFilter server, the ASA/PIX can be configured to redirect HTTP traffic to it.
Again, if having the IP included in split-tunneling, the ASA/PIX can be configured to redirect this traffic and you don't need
to manually configure the browser on the client's PCs.

Hope it helps.

Federico.

Thank you for the response.

It seems that McAfee and Cisco arent playing nice any more.  I have heard that McAfee is no longer supporting websense from cisco hardware.

Let me ask another question;

Can I do a port forward from the PIX to the proxy.  port 80 to port 9090 on the proxy?

Can I simply write a new ACL for port 80 to the IP of the proxy?

Thanks again

Brian

Brian,

I guess you can create a port forwarding rule to tell the PIX to redirect HTTP traffic to the proxy server.

Do you have this scenario set so that you can test with a client?

Federico.

Federico,

Thank you again for your response.

Yes, I do have a few spare 501's. I can configure one without the split tunnel for port 80 and add the port forward rule to my proxy/web filter for port 80.

So my new rules could look like this;

access-list inside_access_in remark Allow access to POS Supprt and CC Auths/Settlements

access-list inside_access_in permit tcp host StoreNamePCI eq https any eq https

access-list inside_access_in remark Allow StoreNAmePCI to FTP for price list and menu updates

access-list inside_access_in permit tcp host StoreNamePCI any eq ftp

<<>>

Can I do this instead and will it work;

name 10.9.##.26 StoreNamePCI

name 10.9.1.X Proxy

access-list inside_access_in remark Allow access to POS Supprt and CC Auths/Settlements

access-list inside_access_in permit tcp host StoreNamePCI eq https any eq https

access-list inside_access_in remark Allow StoreNamePCI to FTP for price list and menu updates

access-list inside_access_in permit tcp host StoreNamePCI any eq ftp

access-list inside_access_in remark Allow access to Internet thru Proxy

access-list inside_access_in permit tcp host StoreNamePCI eq www host Proxy eq 9090 log

Thoughts, comments, advice are much appreciated,

Brian