Forward Web Traffice from PIX to outside Proxy

Unanswered Question

I am working with a web filtering service company that provides web filtering as a service in a cloud. I can forward web traffic to them via the normal proxy setting in my browser, but I want to be able to do it on firewall level as well, in case a user did not get the browser policy update.


Is there a way to forward all web traffic (http, https) coming from behind the firewall (nat users) to an outside address?


I tried the command:


static (inside,outside) tcp interface www <outside ip> www netmask 255.255.255.255


...but that did not work.


Any help would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Tue, 09/23/2008 - 07:17
User Badges:
  • Silver, 250 points or more

I think he is wrong. I assume this is what

you're trying to accomplish:


1- There is web proxy like BlueCoat or Squid

on the Internet that you want Users on your

network to connect it. Users on your network

get the setting through WPAD or something like

that.


2- The BlueCoat or Squid Proxy will intercept

Web traffics on your network, check URL and

content filtering, Antivirus, etc. If

everything is fine, users on your network can

access the site.


Are my assumption correct?


The example he gave you is that the Pix will

do the URL filtering with a 3rd parties apps

like Websense or N2H2. It can not do what

you described.


What you're trying to accomplish can be done

with WPAD.



cisco24x7 Tue, 09/23/2008 - 07:36
User Badges:
  • Silver, 250 points or more

In that case, it is very simple:


no static (inside,outside) tcp interface www www netmask 255.255.255.255


nat (inside) 1 0 0

global (outside) 1 interface

access-list Internal permit icmp any any log

access-list Internal permit tcp any host Proxy_Server eq 3128 log

access-list Internal deny ip any any log

access-list External permit icmp any any log

access-list External deny any any log


access-group Internal in interface inside

access-group External in interface outside


The question is how does the users' browser

get update? WPAD or what?



cisco24x7 Tue, 09/23/2008 - 11:05
User Badges:
  • Silver, 250 points or more

"in case a user did not get the browser policy update."


How does users' browser get policy update such

as proxy settings?



Actions

This Discussion