From: Scott Morris (swm@emanon.com)
Date: Mon Dec 13 2004 - 13:00:42 GMT-3
Right. But in spoofing, it assumes the IP of the originating client and of
the server. If the proxy/CE are on the same interface of the firewall (both
on 'inside' for example), the firewall doesn't care because it doesn't know
better.
If you put the ce/proxy on a firewall dmz or some othre interface, the
spoofing will cause issues with the ASA in a PIX (or whatever similar
algorithm of state in other firewalls).
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Park, Peter
Sent: Monday, December 13, 2004 10:17 AM
To: Scott Morris; 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possibl e?
Actually, with transparent proxy, content engine will spoof the IP so you
don't have to worry about firewall seeing content engines IP on the outside.
Have you tried looking at firewall log or sniffing?
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Monday, December 13, 2004 8:28 AM
To: 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possible?
Due to this proxy effect, and essentially spoofing on behalf of the CE,
firewalls get really pissed about this activity... I tried playing around
with it for a while, and it was not functional in any sort of normal
implementation.
The best bet is to have the proxy/CE outside the firewall by the exiting
router is it is a transparent CE. If it's non-transparent, where your users
all point to the proxy server then it shouldn't matter where you have it as
the rules essentially change.
HTH,
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist, CISSP CCSI
#21903 swm@emanon.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cheung Thomas
Sent: Monday, December 13, 2004 2:12 AM
To: ccielab@groupstudy.com
Subject: OT: Content engine and web clients separated by firewall possible?
Hi Group,
Sorry for the OT but I need help. A client wants to install a Cisco 500
series content engine as transparnet proxy. However, the web clients and
the engine are separated by a firewall. I checked the manuals and samples
and find that they put the clients and the engine on the same side. Also,
the wccp router should be on the same side with the engine. So I don't know
whether the mentioned scenario is possible.
My concern is that: when the web clients browse a page, they make a request
to the real ip of the web server. However, the content engine will actually
make the request on behave of the clients. Then, it will return to the page
to the clients. Thus, on the firewall will see the returned page has a
source address of the engine, not the real ip of the web server. And I
suspect the returned traffic will be blocked. Is this the case?
Could someone have similar experience help me? Thank you.
Regards,
Thomas
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3