RE: Content engine and web clients separated by firewall

From: Scott Morris (swm@emanon.com)
Date: Mon Dec 13 2004 - 14:30:40 GMT-3

• Next message: Joe Rinehart: "Re: CCIE#14251"
• Previous message: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe in reply to: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The 500 series are cache engines, which may behave differntly than content
engines (arrowpoint stuff). My CE-550 does bidirectional spoofing which
pisses off the PIX. After a few packet captures and a long conversation
with TAC, the bottom line was that the PIX could not be in the middle. The
CE was either on the client side of the PIX or the edge router side of the
PIX in order to take the FW out of the loop.

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Park, Peter
Sent: Monday, December 13, 2004 12:17 PM
To: swm@emanon.com; 'Park, Peter'; 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possib l
e?

I have seen content engine making requests out to the Internet with its own
IP and not that of client's IP. Spoofing that I've seen in reference to CE
is when content engine spoofs to be the destination IP that a client is
trying to reach.

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Monday, December 13, 2004 11:01 AM
To: 'Park, Peter'; 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possibl e?

Right. But in spoofing, it assumes the IP of the originating client and of
the server. If the proxy/CE are on the same interface of the firewall (both
on 'inside' for example), the firewall doesn't care because it doesn't know
better.

If you put the ce/proxy on a firewall dmz or some othre interface, the
spoofing will cause issues with the ASA in a PIX (or whatever similar
algorithm of state in other firewalls).

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Park, Peter
Sent: Monday, December 13, 2004 10:17 AM
To: Scott Morris; 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possibl e?

Actually, with transparent proxy, content engine will spoof the IP so you
don't have to worry about firewall seeing content engines IP on the outside.
Have you tried looking at firewall log or sniffing?

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Monday, December 13, 2004 8:28 AM
To: 'Cheung Thomas'; ccielab@groupstudy.com
Subject: RE: Content engine and web clients separated by firewall possible?

Due to this proxy effect, and essentially spoofing on behalf of the CE,
firewalls get really pissed about this activity... I tried playing around
with it for a while, and it was not functional in any sort of normal
implementation.

The best bet is to have the proxy/CE outside the firewall by the exiting
router is it is a transparent CE. If it's non-transparent, where your users
all point to the proxy server then it shouldn't matter where you have it as
the rules essentially change.

HTH,

 
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist, CISSP CCSI
#21903 swm@emanon.com
 
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cheung Thomas
Sent: Monday, December 13, 2004 2:12 AM
To: ccielab@groupstudy.com
Subject: OT: Content engine and web clients separated by firewall possible?

Hi Group,

Sorry for the OT but I need help. A client wants to install a Cisco 500
series content engine as transparnet proxy. However, the web clients and
the engine are separated by a firewall. I checked the manuals and samples
and find that they put the clients and the engine on the same side. Also,
the wccp router should be on the same side with the engine. So I don't know
whether the mentioned scenario is possible.
My concern is that: when the web clients browse a page, they make a request
to the real ip of the web server. However, the content engine will actually
make the request on behave of the clients. Then, it will return to the page
to the clients. Thus, on the firewall will see the returned page has a
source address of the engine, not the real ip of the web server. And I
suspect the returned traffic will be blocked. Is this the case?
Could someone have similar experience help me? Thank you.

Regards,

Thomas

• Next message: Joe Rinehart: "Re: CCIE#14251"
• Previous message: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe in reply to: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3