Applies to the Web Security Flex Service using a Cisco ASA firewall web proxy forward deployment.
The Barracuda Web Security Service offers several easy deployment options. Transparent proxy forwarding is a simple option which relies upon your firewall to send all web traffic to the Web Security Service. This is the ideal deployment for single-location installations with many anonymous users on mixed platforms. If this does not fit your organizational profile, please consider one of several other deployments, as described in our TechLibrary.
Follow these instructions to transparently proxy forward all web traffic from a Cisco ASA firewall to the Barracuda Web Security Service over port 8080:
1. Create service objects to match HTTP traffic sourced from every port for redirection to port 8080:
hostname(config)# object service source-http
hostname(config-service-object)# service tcp source range 1 65535 destination eq www
hostname(config-service-object)# description source-http
hostname(config)# object service redirected-http
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8080
hostname(config-service-object)# description redirected-http
2. Create a network object to match the source traffic to be filtered by the Web Security Service. The example below matches all traffic:
hostname(config)# object network Protected-Range
hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0
3. Create a network object for your service host IP address. The example below utilizes the Atlanta datacenter IP at 184.108.40.206. Please use Solution 00005806 or contact Barracuda Networks Technical Support if you are unsure of your service host IP address.
hostname(config)# object network Service-Host-IP
hostname(config-network-object)# host 220.127.116.11
hostname(config-network-object)# description Service-Host-IP
4. Using the object and network services you have set up, create NAT rules on your firewall to send Web traffic from your internal addresses to the Web Security service. The NAT statements for these rules are as follows:
nat (inside,outside) source dynamic any interface destination static Protected-Range Service-Host-IP service source-http redirected-http inactive
the last command is “inactive”
- As of this writing, the ASA is not able to transparently redirect HTTPS traffic.
- More details on web proxy forwarding can be found in the ASA Administrator’s Guide.
Link to this page: