Force traffic to a public proxy

Unanswered Question
Aug 23rd, 2008

Hi friends,

I have a unique requirement from a customer. He does not have any web filtering device in his network but he believes that web filtering can be done by some public proxy if we force traffic towards it.

I know the IP address of the proxy but i really dont think that we have a mechanism to force traffic towards a public proxy in the network.

Has anyone come across a similar requirement and has managed to implement it?

Thanks and Regards

Gautam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/23/2008 - 02:41

if u have a cisco router and the ip do PBR which is policy based routing

first u need to make sure u have reachability to that proxy ip by ping it from the router once u got the reply

do the folowing steps

lets say the LAN network is 192.168.1.0/24

and connected to fastethernet 1/0

access-list 1

permit 192.168.1.0 0.0.0.255

then

route-map PBR-1 permit 10

match ip address 1

set next-hop [proxy IP]

then apply it to the interface connected to the LAN

int fa 1/0

ip policy route-map PBR-1

good luck

please, if helpful Rate

Giuseppe Larosa Sat, 08/23/2008 - 08:57

Hello Gautam,

if the public proxy is somewhere in the internet configuring PBR on border router doesn't guarantee the result.

You would need a cooperating device that has to terminate a GRE tunnel with the other end is your border router and that is directly connected to the proxy.

Otherwise some application layer mechanism is needed like TCP intercept plus a way to open sessions to the proxy.

Hope to help

Giuseppe

gautamzone Sat, 08/23/2008 - 09:46

Thanks a lot for the kind help. Even i had a doubt on this. The public proxy is connected directly to our ISP network and even i believe that we have to agree with our ISP for such a kind of setup.

But i was just wondering if this is possible without ISP intervention?

Thanks a lot

Giuseppe Larosa Sat, 08/23/2008 - 10:03

Hello Gautam,

doing this work at the application layer means:

your router intercepts all http requests

for each http/TCP session the router needs to open a TCP session to the proxy.

On its turn the proxy will handle the router initiated TCP sessions and will open the sessions to the real servers in the internet.

You can call this a hierarchy of proxies like the hierarchies of web caches.

But I don't know if you can do this on a Cisco router alone : TCP intercept allows for the first part that of handling user sessions.

Then, all possible urls should be resolved by DNS on the public proxy ip address.

May be with a good DNS config you can do this without even using TCP intercept on the router.

This is the kind of things that require to go on the upper layers above layer3.

Hope to help

Giuseppe

Actions

This Discussion