Cisco 1841 Routing

Unanswered Question
Oct 12th, 2009
User Badges:

Hi Guys,


I need help on routing settings of our Cisco 1841 router.


Out network IP Address is 192.168.0.0 then we have a proxy server with an IP Address of 192.168.15.2, our router IP Address is 192.168.15.1 and the WAN IP of our router is 10.10.12.2 in our router config these are the settings:


ip route 0.0.0.0 0.0.0.0 192.168.15.2

ip route 192.168.0.0 255.255.0.0

10.10.12.1


The statement 0.0.0.0 0.0.0.0 192.168.15.2 means any request not intended to 192.168.0.0 will be routed to the proxy server like internet access.


What I want is to change this settings, how can I route any internet request to the proxy server without using the 0.0.0.0 0.0.0.0 statement?


Hope you can help me guys.


Thanks.


John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
nsn-amagruder Mon, 10/12/2009 - 18:32
User Badges:

The most common ways are to configure the browser with the ip address of the proxy server or use a pac file The other is to configure WCCP V2 on the router and proxy server. Do you know if your proxy server supports WCCP and if not what type of proxy is it?


http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp_ps6350_TSD_Products_Configuration_Guide_Chapter.html


The 3rd way is through Policy Based Routing, but would complicate your configuration.


Aaron

NonStop Networks, LLC

helios999 Mon, 10/12/2009 - 19:42
User Badges:

Hi Aaron,


We are using linux proxy server with squid.

Our user's browser are set to use the proxy server ip address so any http request can pass to the proxy server. My problem is other request like smtp, https and others they need to pass to the proxy server.


Can you give further advice?


Thanks.


John

Richard Burts Tue, 10/13/2009 - 04:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Probably the other alternative is to configure Policy Based Routing. With PBR you configure a route map which will identify traffic to be routed different from what is in the routing table. So you could identify smtp, https, etc and forward them to the proxy server. But this is much more complex than just using the 0.0.0.0 route. Why do you want to avoid using the 0.0.0.0 route?


HTH


Rick

helios999 Tue, 10/13/2009 - 18:10
User Badges:

Hi Rick,


Thanks for the reply. I can really make use of PBR in our network. The reason I don't want to use the 0.0.0.0 route is simply because I want to control any request going to my proxy server. I think there is something in my network that eat lots of internet bandwidth so I want to control and manage any internet request.


Can you give me examples on PBR or any links that discusses it?


Thanks,


John

Richard Burts Wed, 10/14/2009 - 08:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


PBR is configured using a route map and is configured on the interface where the traffic arrives. So assuming that Fast0/1 is the interface where your user traffic is comging from a config might look something like this:

interface fasst0/1

ip policy route-map inet_traffic

!

route-map inet_traffic permit 10

match ip address 101

set next-hop 192.168.15.2

!

access-list 101 permit ip


You would need to figure what access list details would accurately describe the Internet traffic that you want to send through the proxy server.


HTH


Rick

nsn-amagruder Tue, 10/13/2009 - 04:37
User Badges:

Squid and Linux support WCCP for http redirection.


SMTP by default is a proxy protocol. Just configure your internal mail server to forward to it and external mx record to the Static NAT setup on the 1841. Sendmail or another program will need to be configured on it to forward to your internal mail server.


Most other request, you won't want going to the proxy. Most IM clients have proxy settings. Not sure what other apps in your organization require internet access. Just allow them to the internet directly. The other option is to set up the linux box to proxy those request. i.e. Linux has port forwarding cababilities, ssh/telnet proxies, etc.


Keep in mind the more you add and rely onn the one linux box, the more issues you will have if it fails.

helios999 Tue, 10/13/2009 - 18:57
User Badges:

Hi amagruder,


I have setup my proxy server for port forwarding already. But aside from that I also want to control and manage my network as to what protocols and ports they will access to the internet via our Cisco router.


Im not comfortable with the 0.0.0.0 routing.


Thanks for the reply.

nsn-amagruder Tue, 10/13/2009 - 19:00
User Badges:

Use ACL's on the router. This will allow only the protocols, ports, ip combinations you want. If you have the SEC image, you can use CBAC for protocol inspection.

Actions

This Discussion