ASA 5505 Routing and Proxy Help!
wedge1988
Member Posts: 434 ■■■□□□□□□□
Hi, Im new to the cisco area, and im in need of a little help.
My question is simple; can the ASA 5505 Firewall edition take internet requests and forward them to different proxy addresses. the reason being that we have 2 proxy servers in front of the ASA 5505 firewall and they both have different addresses.
Surely this is possible? You cant do it with ISA server 2006 because it only supports proxy redirection to one upstream proxy server, but i need it to direct it to 2!!
Please help!
My question is simple; can the ASA 5505 Firewall edition take internet requests and forward them to different proxy addresses. the reason being that we have 2 proxy servers in front of the ASA 5505 firewall and they both have different addresses.
Surely this is possible? You cant do it with ISA server 2006 because it only supports proxy redirection to one upstream proxy server, but i need it to direct it to 2!!
Please help!
~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
Comments
-
mikearama Member Posts: 749I don't think so. What you're describing would require a load balancer... something like an ACE module in a big Cat switch... which would allow the use of a single VIP IP, which would then spray the requests across your cluster.
The setup in an ASA requires a route-map (from the CLI) where you set the next-hop, and the next hop only permits one IP address.
IE:
route-map proxy-redirect permit 10
match ip address applicable_ACL
set ip next-hop 192.168.1.2
You might want to investigate WCCP... I see in my 5540's that it allows the create of web cache groups, and the groups can maintain multiple IP's. I just don't know if that feature is available in the '05.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
wedge1988 Member Posts: 434 ■■■□□□□□□□Thanks for the reply "mikearama"
I have done a bit of research into this and the 5505 wont support WCCP, but the 5510 does.
I havnt got the ASA firewall yet so ill probably have to go for the 5510.
I know pretty much nothing about cisco hardware, and im looking to move forward and start learning about it. But, for the time being could you please give me a little help with what i would have to do to set this up? i mean command wise.
We have a Squid proxy server also by the way, and from reading about the WCCP support, squid actually has the same sort of abilities. (I cant use squid its not managed by me)
I also read this:
"The benefit to transparently routing traffic to a Web appliance is that you don't have to make any changes to your Web browsers (and you don't have to configure a proxy server)."
So, im assuming that the 5510, using WCCP will allow me to do what i want.
Thanks for the help so far~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
mikearama Member Posts: 749If I read you right, this link should help:
RE: [squid-users] Cisco ASA -> Squid proxy
The commands include:
interface Vlan1
ip address 10.0.12.1 255.255.255.128
ip policy route-map proxy-redirect
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.12.2
! IP 10.0.12.2 is the IP of the Squid box with a single NIC
access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.12.2 any
access-list 111 permit tcp any any
So while the link refers to a squid proxy, any proxy will work with the same setup.
And while you shouldn't ever have to modify browser settings, I don't know how your quote is correct... that you don't have to set up a proxy server. The web appliance is a proxy server. Anyway...
As for WCCP, I'm afraid I can only tell you what I've read. I haven't contracted at any biz that actually uses the function. And, there's differences between a proxy and a cache engine... be clear on what you need.
A good link for setting up WCCP is:
Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Configuring DHCP, DDNS, and WCCP Services [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
wedge1988 Member Posts: 434 ■■■□□□□□□□I read about it here: Configure WCCP on your Cisco IOS router
Thats where i got the quote from
Anyways, from what i see from your last post it should be as simple as routing. although im not that versed at routers.. yet!
so, the squid server has 2 NICS, so im assuming...
---
interface Vlan1
ip address 10.0.0.1 255.255.252.0
ip policy route-map proxy-redirect
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.2.2
! IP 10.0.2.2 is the IP of the Squid box with its 1st NIC
access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.2.2 any
access-list 111 permit tcp any any
---
interface Vlan2
ip address 10.0.0.2 255.255.252.0
ip policy route-map proxy-redirect
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.4.2
! IP 10.0.4.2 is the IP of the Squid box with its 2nd NIC
access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.4.2 any
access-list 111 permit tcp any any
---
that the above will configure 2 proxy addresses to be routed. I would need to also say that any ip from 10.0.0.5-10.0.0.35 be routed to 10.0.2.2 and any ip from 10.0.0.36-10.0.0.254 be routed to 10.0.4.2
this is sort of what i need? but it should proxy.
Sorry if im being dumb, i dont know any cisco stuff at all.~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
mikearama Member Posts: 749I like what you're thinking, except for this:interface Vlan1
ip address 10.0.0.1 255.255.252.0
---
interface Vlan2
ip address 10.0.0.2 255.255.252.0
2 int vlans, with IP's in the same subnet. That ain't gonna work.
If I get your setup correctly, you will have your user subnet connected to the inside int of your ASA. You then will have all http traffic get redirected transparently to your proxy server (at 10.0.2.2), which will carry out the rest of the connectivity.
If your user network is in the 10.0.0.0 / 22 subnet, then you're in trouble with your needs, as that whole /22 subnet has a single gateway, which, from your description, is 10.0.0.1 in vlan1, and from there will only reach one proxy server, which will be 10.0.2.2, as it's in the same subnet.
For any requests to be sent to the other proxy interface would require that you break up the user subnet into two ranges, likely half in the 10.0.0.0 /22 range, the other half in 10.0.4.0 /22 range. Then the second half would use 10.0.4.1 as their gateway in vlan 2, and their requests could be sent to the second interface.
The inside int of the ASA would be set up as a trunk so as to accept traffic from both vlans.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
tiersten Member Posts: 4,505The inside int of the ASA would be set up as a trunk so as to accept traffic from both vlans.
-
wedge1988 Member Posts: 434 ■■■□□□□□□□yea thats what i need to do Ill have to do some reading up on trunking, and have a think about subnetting the machines, but its not a problem.
In fact, i might be able to split the topology with a router to divide the subnets, then configure it from there.
Thanks for the help, i still have a way to go but i rekkon ill get there.
Wedge.~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese