Force traffic to a public proxy

Unanswered Question
Aug 23rd, 2008
User Badges:

Hi friends,


I have a unique requirement from a customer. He does not have any web filtering device in his network but he believes that web filtering can be done by some public proxy if we force traffic towards it.


I know the IP address of the proxy but i really dont think that we have a mechanism to force traffic towards a public proxy in the network.


Has anyone come across a similar requirement and has managed to implement it?


Thanks and Regards

Gautam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/23/2008 - 02:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u have a cisco router and the ip do PBR which is policy based routing


first u need to make sure u have reachability to that proxy ip by ping it from the router once u got the reply


do the folowing steps


lets say the LAN network is 192.168.1.0/24


and connected to fastethernet 1/0


access-list 1

permit 192.168.1.0 0.0.0.255


then

route-map PBR-1 permit 10

match ip address 1

set next-hop [proxy IP]


then apply it to the interface connected to the LAN


int fa 1/0

ip policy route-map PBR-1


good luck


please, if helpful Rate

Giuseppe Larosa Sat, 08/23/2008 - 08:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Gautam,

if the public proxy is somewhere in the internet configuring PBR on border router doesn't guarantee the result.

You would need a cooperating device that has to terminate a GRE tunnel with the other end is your border router and that is directly connected to the proxy.

Otherwise some application layer mechanism is needed like TCP intercept plus a way to open sessions to the proxy.


Hope to help

Giuseppe



gautamzone Sat, 08/23/2008 - 09:46
User Badges:

Thanks a lot for the kind help. Even i had a doubt on this. The public proxy is connected directly to our ISP network and even i believe that we have to agree with our ISP for such a kind of setup.


But i was just wondering if this is possible without ISP intervention?


Thanks a lot

Giuseppe Larosa Sat, 08/23/2008 - 10:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Gautam,

doing this work at the application layer means:

your router intercepts all http requests

for each http/TCP session the router needs to open a TCP session to the proxy.

On its turn the proxy will handle the router initiated TCP sessions and will open the sessions to the real servers in the internet.


You can call this a hierarchy of proxies like the hierarchies of web caches.


But I don't know if you can do this on a Cisco router alone : TCP intercept allows for the first part that of handling user sessions.

Then, all possible urls should be resolved by DNS on the public proxy ip address.

May be with a good DNS config you can do this without even using TCP intercept on the router.

This is the kind of things that require to go on the upper layers above layer3.


Hope to help

Giuseppe



Actions

This Discussion