[c-nsp] asa, internal web filter

[Dan Letkeman]

Hello,



We currently have our gateway / web filter routing setup in this manor:



lan --- 2921 ---asa(firewall) ---internet

          |

           ------  web filter



So the traffic destined to the internet that is not supposed to be filtered
goes right through the router to the asa.  The traffic that is destined to
be filtered gets policy routed to the web filter which then gets routed
back to the 2921 and out to the asa.  This is a bad design, I will admit
that.



What I want to do is this:



lan - 2921 --- asa(firewall) --- internet

          |                    |

          --- web filter ---





With this change the traffic will not have to go back to the router and
then back out to the asa.  This will cut the traffic going through the
router in half, which will result in lower cpu usage.



My question about changing this is as follows.



The asa has a route to the lan networks that are getting filtered.  Lets
say they are 172.16.0.0/16.  There is an eigrp relationship between the
router and asa.


If I use a route-map to policy route certain networks to the web filter
connected in the new way, will the return traffic go back through the web
filter or will it go back directly to the router?  I don't have a spare ASA
to test this with.


One other thing to note is the web filter is a proxy so the http and https
traffic changes the source ip after its passed through.  The rest of the
traffic is untouched.




Thanks,

Dan.