[c-nsp] asa, internal web filter

Eugeniu Patrascu eugen at imacandi.net
Sat Dec 14 23:25:33 EST 2013 

Hi,

What kind of of a webfilter are you using ? I am asking this because ASA
can interact directly with some commercial products and you can do URL
filtering easily directly on the firewall.

In the schema that you proposed, traffic will return from ASA to the
webfilter machine and then back to the router. This happens beacause the
ASA will see connection as coming from a single IP (the one on the proxy)
and because it's going to be a directly connected one, it will return
traffic correctly. On the webfilter proxy you just need to add some static
routes via the router so that it will know how to handle return traffic
(internet -> webfilter -> router -> users).

Since static routes have a higher priority than those learned through
dynamic routing protocols, you can keep your existing EIGRP setup in place.

Eugeniu



On Fri, Dec 13, 2013 at 6:05 AM, Dan Letkeman <danletkeman at gmail.com> wrote:

> Hello,
>
>
>
> We currently have our gateway / web filter routing setup in this manor:
>
>
>
> lan --- 2921 ---asa(firewall) ---internet
>
>           |
>
>            ------  web filter
>
>
>
> So the traffic destined to the internet that is not supposed to be filtered
> goes right through the router to the asa.  The traffic that is destined to
> be filtered gets policy routed to the web filter which then gets routed
> back to the 2921 and out to the asa.  This is a bad design, I will admit
> that.
>
>
>
> What I want to do is this:
>
>
>
> lan - 2921 --- asa(firewall) --- internet
>
>           |                    |
>
>           --- web filter ---
>
>
>
>
>
> With this change the traffic will not have to go back to the router and
> then back out to the asa.  This will cut the traffic going through the
> router in half, which will result in lower cpu usage.
>
>
>
> My question about changing this is as follows.
>
>
>
> The asa has a route to the lan networks that are getting filtered.  Lets
> say they are 172.16.0.0/16.  There is an eigrp relationship between the
> router and asa.
>
>
> If I use a route-map to policy route certain networks to the web filter
> connected in the new way, will the return traffic go back through the web
> filter or will it go back directly to the router?  I don't have a spare ASA
> to test this with.
>
>
> One other thing to note is the web filter is a proxy so the http and https
> traffic changes the source ip after its passed through.  The rest of the
> traffic is untouched.
>
>
>
>
> Thanks,
>
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list