Showing results for 
Search instead for 
Did you mean: 

how configure the web appliance in DMZ environment ?

Ahmed Hassabo


i have a Question regarding to Interface configuration and routing table for Web security applaince 

1 st Question

can i use only P1 and P2 for manmgent .inbound and outbound trafiic as examlpe use P1 to contected to internal network and user used it in proxy and administrator used P1 also in mangement ?

P2 used in external netwrok in DMZ and reponsible for outbound trafic and services update ?

if yes i how can i do this because i try to cofigure this two interface i could not open managemnt url from P1

my task is configure the appliance with only two interface and put one inerface in DMZ and second in internal network ?

7 Replies 7

Vance Kwan
Cisco Employee
Cisco Employee

Management access cannot be delegated to P1 or P2.  The use of the M1 interface is mandatory.  You may however allow the M1 interface to be used for data also.  The option to do so is under Network > Interfaces.  There is an option to restrict M1 for management services only.  Unselect that.

Dear Vance Kwan

i understand now that M1 intefrace in mandatory for mamngment and cannot be delegeted to P1 and P2 .

If i need to configure the appliance in DMZ enviroment can i ues M1 as managment and data in internal(inbound) network

and Use P1 in external (outbound) network ?

My aim is  uses only two interface so i can configure one interface in intenal network for data ana management and second inerface in external network for outboud trafic ?


Before attempting this configuration, how are you going to deploy this?  Will you be using WCCP?


Vance Kwan

i will not use WCCP i will deploy it in explict Forward Mode

I try to USE M1 ;P1 and P2

M1 configured AS  .restrict mangment service only and take IP

P1 Configured in internal netwrok and take IP

P2 in External network(DMZ) and take IP

all the Interface Conected to Core Switch and I am sure that the Configuration in DMZ and Router and ASA Correct becasue i am using this ip in other web-proxy server in production network and working normal

I Reach to Managment Interface without any problem

and i can ping the P1

The problem that i face now that i can not reach the P2 or ping the getway of P2 from this interface using ssh


another notes i try to conect my laptob back to back with applaince in interface P2 and configure my laptob in same subnet i could not reach to P2 interface as ping

Each interface can be used to accept requests from clients from different security zones.

However, just remember that once the WSA receives this request, it will use the default route to fetch the content from the internet.


-You may use M1 to accept requests from INSIDE clients, and P1 to accept requests from DMZ clients.

-Once the WSA receives the request, it will fetch the content using 1 interface regardless of which interface it received the request on.

The static routes can only be defined using destination IP address/range.

So a realistic setup can be the following:

-M1 sits in the INSIDE, and a static route can be defined for the IP ranges for the INSIDE clients to use the Default Gateway of the M1.

-P1 can sit in the DMZ, and has the IP ranges for the DMZ clients to use the Default Gateway of the P1.

-P2 can be used for everything else (to fetch the internet content).

Note that the use of P2 is not required either.  You can have the P1 sit in the DMZ, and have the M1 service INSIDE clients and also be the interface to fetch content from the internet.

I hope this helps.


Dear Vance Kwan
Regrading to realistic setup you prefer to Use two interface M1 and P1

then Configure M1 to listen to client Request and to be mangment Service only by unselct  restrict M1 for management services only.  and Put this Interface in Internal Network "AS inbound Trafiic"

and Configure P1 In DMZ and to Fetach the Internet content ...... So the Request Of client will be in M1  IP and the outbound Trafic to internet will be in P1

in Routing table i will find One table for mangment and data interface(M1 and P1)

My question now does I need any addtional routing from M1 to P1 in WSA appliance Or just using the Default route and edit the Default route Getway and add the Getway OF P1 interface that located in DMZ ?

You will not need any additional routing statements to go from M1 to P1.  The WSA will use its default route for everything else unless you specify otherwise.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers