ASA 5505 Routing and Proxy Help!

wedge1988

Hi, Im new to the cisco area, and im in need of a little help.

My question is simple; can the ASA 5505 Firewall edition take internet requests and forward them to different proxy addresses. the reason being that we have 2 proxy servers in front of the ASA 5505 firewall and they both have different addresses.

Surely this is possible? You cant do it with ISA server 2006 because it only supports proxy redirection to one upstream proxy server, but i need it to direct it to 2!!

Please help!

mikearama

I don't think so. What you're describing would require a load balancer... something like an ACE module in a big Cat switch... which would allow the use of a single VIP IP, which would then spray the requests across your cluster.

The setup in an ASA requires a route-map (from the CLI) where you set the next-hop, and the next hop only permits one IP address.
IE:
route-map proxy-redirect permit 10
match ip address applicable_ACL
set ip next-hop 192.168.1.2

You might want to investigate WCCP... I see in my 5540's that it allows the create of web cache groups, and the groups can maintain multiple IP's. I just don't know if that feature is available in the '05.

wedge1988

Thanks for the reply "mikearama"

I have done a bit of research into this and the 5505 wont support WCCP, but the 5510 does.

I havnt got the ASA firewall yet so ill probably have to go for the 5510.

I know pretty much nothing about cisco hardware, and im looking to move forward and start learning about it. But, for the time being could you please give me a little help with what i would have to do to set this up? i mean command wise.

We have a Squid proxy server also by the way, and from reading about the WCCP support, squid actually has the same sort of abilities. (I cant use squid its not managed by me)

I also read this:

"The benefit to transparently routing traffic to a Web appliance is that you don't have to make any changes to your Web browsers (and you don't have to configure a proxy server)."

So, im assuming that the 5510, using WCCP will allow me to do what i want.

Thanks for the help so far

mikearama

If I read you right, this link should help:

RE: [squid-users] Cisco ASA -> Squid proxy

The commands include:

interface Vlan1
ip address 10.0.12.1 255.255.255.128
ip policy route-map proxy-redirect

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.12.2
! IP 10.0.12.2 is the IP of the Squid box with a single NIC

access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.12.2 any
access-list 111 permit tcp any any


So while the link refers to a squid proxy, any proxy will work with the same setup.

And while you shouldn't ever have to modify browser settings, I don't know how your quote is correct... that you don't have to set up a proxy server. The web appliance is a proxy server. Anyway...

As for WCCP, I'm afraid I can only tell you what I've read. I haven't contracted at any biz that actually uses the function. And, there's differences between a proxy and a cache engine... be clear on what you need.

A good link for setting up WCCP is:
Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Configuring DHCP, DDNS, and WCCP Services [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

Mike

wedge1988

I read about it here: Configure WCCP on your Cisco IOS router

Thats where i got the quote from

Anyways, from what i see from your last post it should be as simple as routing. although im not that versed at routers.. yet!

so, the squid server has 2 NICS, so im assuming...

---

interface Vlan1
ip address 10.0.0.1 255.255.252.0
ip policy route-map proxy-redirect

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.2.2
! IP 10.0.2.2 is the IP of the Squid box with its 1st NIC

access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.2.2 any
access-list 111 permit tcp any any

---

interface Vlan2
ip address 10.0.0.2 255.255.252.0
ip policy route-map proxy-redirect

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop 10.0.4.2
! IP 10.0.4.2 is the IP of the Squid box with its 2nd NIC

access-list 111 deny tcp any any neq www
access-list 111 deny tcp host 10.0.4.2 any
access-list 111 permit tcp any any

---

that the above will configure 2 proxy addresses to be routed. I would need to also say that any ip from 10.0.0.5-10.0.0.35 be routed to 10.0.2.2 and any ip from 10.0.0.36-10.0.0.254 be routed to 10.0.4.2

this is sort of what i need? but it should proxy.

Sorry if im being dumb, i dont know any cisco stuff at all.

mikearama

I like what you're thinking, except for this:

wedge1988 wrote: »

interface Vlan1
ip address 10.0.0.1 255.255.252.0

---

interface Vlan2
ip address 10.0.0.2 255.255.252.0

2 int vlans, with IP's in the same subnet. That ain't gonna work.

If I get your setup correctly, you will have your user subnet connected to the inside int of your ASA. You then will have all http traffic get redirected transparently to your proxy server (at 10.0.2.2), which will carry out the rest of the connectivity.

If your user network is in the 10.0.0.0 / 22 subnet, then you're in trouble with your needs, as that whole /22 subnet has a single gateway, which, from your description, is 10.0.0.1 in vlan1, and from there will only reach one proxy server, which will be 10.0.2.2, as it's in the same subnet.

For any requests to be sent to the other proxy interface would require that you break up the user subnet into two ranges, likely half in the 10.0.0.0 /22 range, the other half in 10.0.4.0 /22 range. Then the second half would use 10.0.4.1 as their gateway in vlan 2, and their requests could be sent to the second interface.

The inside int of the ASA would be set up as a trunk so as to accept traffic from both vlans.

tiersten

mikearama wrote: »

The inside int of the ASA would be set up as a trunk so as to accept traffic from both vlans.

If you're going to need trunking then the ASA5505 requires the Security Plus license. The 5510 and above has trunking built into the base license.

wedge1988

yea thats what i need to do Ill have to do some reading up on trunking, and have a think about subnetting the machines, but its not a problem.
In fact, i might be able to split the topology with a router to divide the subnets, then configure it from there.

Thanks for the help, i still have a way to go but i rekkon ill get there.

Wedge.