Integration of Proxy Server to the LAN

Answered Question
Dec 16th, 2007

I have my proxy server in the LAN. The proxy cache all of the http sessions inbound and outbound of the LAN. In the LAN, user must enter the proxy setting in the browser to be able to surf internet(http port 80).

My questions:-

1) How the setup in the cisco router 2821(ISR-all firewall,nat and IGW)) to cater the proxy server in the LAN? What is the rules to be injected into the configuration so that user will only go through PROXY server and then go through the router?

Correct Answer by Edison Ortiz about 9 years 2 months ago

> but if we block the incoming traffic from LAN-subnet for port 80 & 443,

> the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?

Yes

> So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?

Notice, there is a permit for the proxy server IP address in the ACL

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Fraser Reid Sun, 12/16/2007 - 08:02

sounds like you may have a design problem....is your proxy behind the router ? should that be the "default gateway" for all public IP addresses ?

x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

As long as all users have the proxy in thier Internet Config be it IE7 or mozilla/firefox then they will have to use the proxy to surf the net.

noxkrugger Sun, 12/16/2007 - 08:16

yup..the proxy is behind the router.. my default-gateway is the 2821 router.. i just want to configure for all users must go through proxy first before reach the router.

And user cannot access internet without configuring proxy server in their browser.

Please advise

Edison Ortiz Sun, 12/16/2007 - 08:18

You can create an ACL in the router to block all http traffic with the exception of the proxy server.

ip access-list extended PROXY

permit tcp host [proxy-server-ip] any eq 80

permit tcp host [proxy-server-ip] any eq 443

deny tcp [LAN-subnet] [LAN-subnet mask] any eq 80

deny tcp [LAN-subnet] [LAN-subnet mask] any eq 443

permit ip any any

interface fx/x (Interface facing the LAN)

ip access-group PROXY in

noxkrugger Sun, 12/16/2007 - 08:35

thanks EdisonOrtiz,

but if we block the incoming traffic from LAN-subnet for port 80 & 443, the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?

So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?

Can you explain more?

Correct Answer
Edison Ortiz Sun, 12/16/2007 - 10:48

> but if we block the incoming traffic from LAN-subnet for port 80 & 443,

> the sessions that been originated from LAN-subnet will be blocked (source IP),am i right?

Yes

> So,how the router will recognize that session that originated from LAN-subnet through proxy-server-ip?

Notice, there is a permit for the proxy server IP address in the ACL

noxkrugger Mon, 12/17/2007 - 09:37

thank you EdisonOrtiz..right now I can create rule for my LAN outbound via web proxy server

Actions

This Discussion