i have a Question regarding to Interface configuration and routing table for Web security applaince
1 st Question
can i use only P1 and P2 for manmgent .inbound and outbound trafiic as examlpe use P1 to contected to internal network and user used it in proxy and administrator used P1 also in mangement ?
P2 used in external netwrok in DMZ and reponsible for outbound trafic and services update ?
if yes i how can i do this because i try to cofigure this two interface i could not open managemnt url from P1
my task is configure the appliance with only two interface and put one inerface in DMZ and second in internal network ?
Dear Vance Kwan
i understand now that M1 intefrace in mandatory for mamngment and cannot be delegeted to P1 and P2 .
If i need to configure the appliance in DMZ enviroment can i ues M1 as managment and data in internal(inbound) network
and Use P1 in external (outbound) network ?
My aim is uses only two interface so i can configure one interface in intenal network for data ana management and second inerface in external network for outboud trafic ?
i will not use WCCP i will deploy it in explict Forward Mode
I try to USE M1 ;P1 and P2
M1 configured AS .restrict mangment service only and take IP 192.168.60.72/24
P1 Configured in internal netwrok and take IP 192.168.0.72/24
P2 in External network(DMZ) and take IP 192.168.200.6/24
all the Interface Conected to Core Switch and I am sure that the Configuration in DMZ and Router and ASA Correct becasue i am using this ip in other web-proxy server in production network and working normal
I Reach to Managment Interface without any problem
and i can ping the P1
The problem that i face now that i can not reach the P2 or ping the getway of P2 from this interface using ssh
another notes i try to conect my laptob back to back with applaince in interface P2 and configure my laptob in same subnet i could not reach to P2 interface as ping
Each interface can be used to accept requests from clients from different security zones.
However, just remember that once the WSA receives this request, it will use the default route to fetch the content from the internet.
-You may use M1 to accept requests from INSIDE clients, and P1 to accept requests from DMZ clients.
-Once the WSA receives the request, it will fetch the content using 1 interface regardless of which interface it received the request on.
The static routes can only be defined using destination IP address/range.
So a realistic setup can be the following:
-M1 sits in the INSIDE, and a static route can be defined for the IP ranges for the INSIDE clients to use the Default Gateway of the M1.
-P1 can sit in the DMZ, and has the IP ranges for the DMZ clients to use the Default Gateway of the P1.
-P2 can be used for everything else (to fetch the internet content).
Note that the use of P2 is not required either. You can have the P1 sit in the DMZ, and have the M1 service INSIDE clients and also be the interface to fetch content from the internet.
I hope this helps.
Dear Vance Kwan
Regrading to realistic setup you prefer to Use two interface M1 and P1
then Configure M1 to listen to client Request and to be mangment Service only by unselct restrict M1 for management services only. and Put this Interface in Internal Network "AS inbound Trafiic"
and Configure P1 In DMZ and to Fetach the Internet content ...... So the Request Of client will be in M1 IP and the outbound Trafic to internet will be in P1
in Routing table i will find One table for mangment and data interface(M1 and P1)
My question now does I need any addtional routing from M1 to P1 in WSA appliance Or just using the Default route and edit the Default route Getway and add the Getway OF P1 interface that located in DMZ ?