08-23-2008 12:36 AM - edited 03-03-2019 11:14 PM
Hi friends,
I have a unique requirement from a customer. He does not have any web filtering device in his network but he believes that web filtering can be done by some public proxy if we force traffic towards it.
I know the IP address of the proxy but i really dont think that we have a mechanism to force traffic towards a public proxy in the network.
Has anyone come across a similar requirement and has managed to implement it?
Thanks and Regards
Gautam
08-23-2008 02:41 AM
if u have a cisco router and the ip do PBR which is policy based routing
first u need to make sure u have reachability to that proxy ip by ping it from the router once u got the reply
do the folowing steps
lets say the LAN network is 192.168.1.0/24
and connected to fastethernet 1/0
access-list 1
permit 192.168.1.0 0.0.0.255
then
route-map PBR-1 permit 10
match ip address 1
set next-hop [proxy IP]
then apply it to the interface connected to the LAN
int fa 1/0
ip policy route-map PBR-1
good luck
please, if helpful Rate
08-23-2008 08:57 AM
Hello Gautam,
if the public proxy is somewhere in the internet configuring PBR on border router doesn't guarantee the result.
You would need a cooperating device that has to terminate a GRE tunnel with the other end is your border router and that is directly connected to the proxy.
Otherwise some application layer mechanism is needed like TCP intercept plus a way to open sessions to the proxy.
Hope to help
Giuseppe
08-23-2008 09:46 AM
Thanks a lot for the kind help. Even i had a doubt on this. The public proxy is connected directly to our ISP network and even i believe that we have to agree with our ISP for such a kind of setup.
But i was just wondering if this is possible without ISP intervention?
Thanks a lot
08-23-2008 10:03 AM
Hello Gautam,
doing this work at the application layer means:
your router intercepts all http requests
for each http/TCP session the router needs to open a TCP session to the proxy.
On its turn the proxy will handle the router initiated TCP sessions and will open the sessions to the real servers in the internet.
You can call this a hierarchy of proxies like the hierarchies of web caches.
But I don't know if you can do this on a Cisco router alone : TCP intercept allows for the first part that of handling user sessions.
Then, all possible urls should be resolved by DNS on the public proxy ip address.
May be with a good DNS config you can do this without even using TCP intercept on the router.
This is the kind of things that require to go on the upper layers above layer3.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide