FW: Proxy

Agree with Robclav.

Ali you can create a PBR.
 Match all the src-port 80 TCP traffic (Assume you have http only)

Next hop set to Cache zone's interface.

Thanks,
Qingli Gao CCIE# 17220

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of robclav_at_gmail.com
Sent: Monday, April 06, 2009 1:33 PM
To: Ali El Moussaoui; Cisco certification
Subject: Re: Proxy

Hi Ali,
You are facing a asimetric path traffic issue. In other words, who is compliant is your outside zone(named internet at log). If you apply a nat procces from inside to cache zone in order to ensure traffic must flow back from outside to cache and then from cache to inside. Otherwise, like in your lab, inside traffic is going first to cache zone and then to outside but because you are using public ipv4 addresses then the flow back is going directly from outside to inside, then the fw has not this session at inside-outside session table so is a dropped session.
Hope this help you,
Robclav

BlackBerry de movistar, allm donde estis esta tu oficin@

-----Original Message-----
From: Ali El Moussaoui <mousawi.ali_at_gmail.com>

Date: Mon, 6 Apr 2009 15:39:40
To: Cisco certification<ccielab_at_groupstudy.com>
Subject: Proxy

Hello Guys,

I have 3 security zones on fwsm Inside,Outside and Cache. I am using WCCP to
redirect traffic going out to the proxy. i see the following in the FWSM
logs

Apr 06 2009 15:20:45 INTERNET : %FWSM-6-106015: Deny TCP (no connection)
from 209.170.115.83/80 to 91.151.230.3/4780 flags RST on interface CACHE
Apr 06 2009 15:20:45 INTERNET : %FWSM-6-106015: Deny TCP (no connection)
from 84.53.182.160/80 to 91.151.238.34/49126 flags RST on interface CACHE

My analysis is that connection are created from inside and then redirected
to Cache. FWSM will not recognize the session when it comes back to Cache
since it was creade from inside. What do u think ? how can i get over this ?

Ali

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 06 2009 - 18:09:01 ART