[c-nsp] Forwarding http traffic to web filtering service

Wed Jun 20 12:59:09 EDT 2007

Just wanted to jump in after reading the thread, I had integreated my Cisco
IOS firewall router using a url filter with websense, I would like to know
if I can integreate web proxy on the internet with my Cisco IOS firewall and
which web proxies on the internet provide this service.  Would web browsing
become slow if the We are in India and web proxy is located in US.

Thanks
Aman

On 6/20/07, Brian <bms314 at gmail.com> wrote:
>
> Thanks for all the replies.  I will try to enable WCCP on our ASA later
> today.  Does anyone have a working config for this in production?
>
> On 6/20/07, Bill Nash <billn at billn.net> wrote:
> >
> >
> > If your device doesn't support WCCP, you can emulate this with a NAT
> > directive in your ASA. I don't know the specific syntax offhand (I've no
> > PIX's in my network, but the iptables equivalant is:
> > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> > 192.168.100.1:3128
> >
> > I don't think your route-map option will work, incidentally, unless
> you're
> > changing the next-hop to the inside interface of a NAT layer that
> > implements what I describe above.
> >
> > - billn
> >
> > On Wed, 20 Jun 2007, Adrian Chadd wrote:
> >
> > > On Wed, Jun 20, 2007, Brian wrote:
> > > > We're trying to forward all http traffic to a web filtering service
> on
> > the
> > > > Internet.  They require the http traffic forwarded to a name and
> then
> > > > forwarded to port 3128.  I was thinking of creating a route-map and
> > setting
> > > > the next-hop to be the IP address.  How can I also forward this
> > traffic to a
> > > > specific port from my router (or my ASA) so it acts somewhat like a
> > proxy?
> > > > Also, is there a way to point to the name rather than an IP address?
> > >
> > > Look at WCCPv2 support. Almost all cisco routers these days support it
> > > in some form or other. (My 827 here at home, for example, doesn't. :)
> > > I believe later ASA (7.x?) supports WCCPv2.
> > >
> > > Many web proxies have WCCP/WCCPv2 support. I can help you with Squid,
> if
> > > thats what it is on port 3128, or you can talk to your vendor.
> > >
> > > With WCCPv2, the proxy actually asks the router (nicely!) to join the
> > > service group; so you don't have to hard-code in an IP in the router
> > > (unless you specifically lock it down with an ACL) and you can use
> > > MD5 passwords to further limit joining the service group. You can
> > > (assuming the proxy software supports it) run >1 proxy talking to >1
> > > router. This gives you failover and load balancing/distribution.
> > > (Which is what I guess you want to point it at a name for rather
> > > than an IP address.)
> > >
> > > All in all, its a much better alternative to route-map next-hop
> > > forwarding. Although there's apparently a method to do a conditional
> > > next-hop depending on a rtr object (ICMP ping, for example) but the
> > > one setup I wanted to use it for (on the 3560 switch) turned out to
> > > be documented, but then documented as a documentation mistake and
> > > not implemented.
> > >
> > >
> > >
> > > Adrian
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>