We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Service

How can I configure my Cisco ASA to transparently proxy web traffic to the Web Security Service?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00006411

Applies to the Web Security Flex Service using a Cisco ASA firewall web proxy forward deployment.

The Barracuda Web Security Service offers several easy deployment options. Transparent proxy forwarding is a simple option which relies upon your firewall to send all web traffic to the Web Security Service. This is the ideal deployment for single-location installations with many anonymous users on mixed platforms. If this does not fit your organizational profile, please consider one of several other deployments, as described in our TechLibrary

Follow these instructions to transparently proxy forward all web traffic from a Cisco ASA firewall to the Barracuda Web Security Service over port 8080:

1. Create service objects to match HTTP traffic sourced from every port for redirection to port 8080:

hostname(config)# object service source-http
hostname(config-service-object)# service tcp source range 1 65535 destination eq www
hostname(config-service-object)# description source-http
hostname(config)# object service redirected-http
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8080
hostname(config-service-object)# description redirected-http

2. Create a network object to match the source traffic to be filtered by the Web Security Service. The example below matches all traffic:

hostname(config)# object network Protected-Range
hostname(config-network-object)# subnet

3. Create a network object for your service host IP address. The example below utilizes the Atlanta datacenter IP at Please use Solution 00005806  or contact Barracuda Networks Technical Support if you are unsure of your service host IP address.

hostname(config)# object network Service-Host-IP
hostname(config-network-object)# host
hostname(config-network-object)# description Service-Host-IP

4. Using the object and network services you have set up, create NAT rules on your firewall to send Web traffic from your internal addresses to the Web Security service. The NAT statements for these rules are as follows:

nat (inside,outside) source dynamic any interface destination static Protected-Range Service-Host-IP service source-http redirected-http inactive

the last command is “inactive”

Additional Notes:
  • As of this writing, the ASA is not able to transparently redirect HTTPS traffic.
  • More details on web proxy forwarding can be found in the ASA Administrator’s Guide.

Link to this page: