Integration of Proxy Server to the LAN

Answered Question
Dec 16th, 2007
User Badges:

I have my proxy server in the LAN. The proxy cache all of the http sessions inbound and outbound of the LAN. In the LAN, user must enter the proxy setting in the browser to be able to surf internet(http port 80).


My questions:-


1) How the setup in the cisco router 2821(ISR-all firewall,nat and IGW)) to cater the proxy server in the LAN? What is the rules to be injected into the configuration so that user will only go through PROXY server and then go through the router?






Correct Answer by Edison Ortiz about 9 years 7 months ago

> but if we block the incoming traffic from LAN-subnet for port 80 & 443,

> the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?


Yes


> So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?


Notice, there is a permit for the proxy server IP address in the ACL



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Fraser Reid Sun, 12/16/2007 - 08:02
User Badges:

sounds like you may have a design problem....is your proxy behind the router ? should that be the "default gateway" for all public IP addresses ?


x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-


As long as all users have the proxy in thier Internet Config be it IE7 or mozilla/firefox then they will have to use the proxy to surf the net.

noxkrugger Sun, 12/16/2007 - 08:16
User Badges:

yup..the proxy is behind the router.. my default-gateway is the 2821 router.. i just want to configure for all users must go through proxy first before reach the router.


And user cannot access internet without configuring proxy server in their browser.


Please advise



Edison Ortiz Sun, 12/16/2007 - 08:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You can create an ACL in the router to block all http traffic with the exception of the proxy server.


ip access-list extended PROXY

permit tcp host [proxy-server-ip] any eq 80

permit tcp host [proxy-server-ip] any eq 443

deny tcp [LAN-subnet] [LAN-subnet mask] any eq 80

deny tcp [LAN-subnet] [LAN-subnet mask] any eq 443

permit ip any any


interface fx/x (Interface facing the LAN)

ip access-group PROXY in

noxkrugger Sun, 12/16/2007 - 08:35
User Badges:

thanks EdisonOrtiz,


but if we block the incoming traffic from LAN-subnet for port 80 & 443, the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?


So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?


Can you explain more?

Correct Answer
Edison Ortiz Sun, 12/16/2007 - 10:48
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

> but if we block the incoming traffic from LAN-subnet for port 80 & 443,

> the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?


Yes


> So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?


Notice, there is a permit for the proxy server IP address in the ACL



noxkrugger Mon, 12/17/2007 - 09:37
User Badges:

thank you EdisonOrtiz..right now I can create rule for my LAN outbound via web proxy server

Actions

This Discussion