Redirect web traffic to external proxy in a specific port

Unanswered Question
Jan 19th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi, I want to redirect internal web traffic (browsing) to an external web server for Web, Virus and Spyware filtering. Those externals proxies are running in 8080 port. I have one ASA firewall and a Cisco 2600 router. I was thinking in doing PBR in the router but in the next hop I can only set one IP, not an IP and a port.

So how can I redirect web traffic to an external proxy listening in 8080 port?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.4 (5 ratings)
Loading.
Mohamed Sobair Tue, 01/19/2010 - 00:55

Hi,

In your PBR, match tcp port 8080 and set the nexthop accordingly, bellow is an example:

route-map PBR permit 10

match ip address 100

set ip next-hop x.x.x.x

access-list 100 permit tcp any any eq 8080

HTH

Mohamed

jmprats Tue, 01/19/2010 - 01:00

No, I need to redirect web (port 80) traffic to an external proxy server listening in 8080. Not 8080 traffic to an external server. Do you understand?

Thanks

Ahmed M Alzaeem Fri, 05/30/2014 - 00:55

you need "GRE tunnel" between ur proxy and ur  router

and then u can use PBR  next hop.

 

regards

 

Ahmed M Alzaeem Fri, 05/30/2014 - 00:57

i belive that on cisco routers we cant  nat the destination ,

we just can nat the source

i dont know cisco why it dontdo that !! , it do that on ASA firewalls

but i found that linux can do both (src ,dst) nat !!

regards

Mohamed Sobair Tue, 01/19/2010 - 01:15

Hi,

you will need to modify the Access-list to:

access-list 100 permit tcp any any eq www

Regarding the proxy, it should be listining on port 80 as well so that the traffic gets to it.


You dont need additional config, if the proxy is listining on port 80

HTH

Mohamed

jmprats Tue, 01/19/2010 - 01:24

Yes, but the proxy is an external server and is listening in port 8080. I can't change the port where it is listening

Edison Ortiz Tue, 01/19/2010 - 07:55

You can use static NAT.

On the router, configure the following:

ip nat inside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

where the proxy IP address doesn't change, just the TCP port.

On the interface towards the Proxy server, you need ip nat inside

On the interface towards the clients, you need ip nat outside

Be aware, you can't perform internet NAT on this device and the ASA can be used for internet NAT for your network.

I did a quick lab to test this concept:

R2 (acting as client) <------>R0 (acting as NAT router)<----->R1(acting as proxy listening on port 8080).

R1:

R1#sh run | i http
ip http server
ip http port 8080
no ip http secure-server
R1#sh ip http server status | i 8080
HTTP server port: 8080

Before implementing the NAT, I can only access R1 when telnetting to port 8080 from R2.

It won't work when trying port 80.

R2#telnet 10.1.100.1 80
Trying 10.1.100.1, 80 ...
% Connection refused by remote host

R2#telnet 10.1.100.1 8080
Trying 10.1.100.1, 8080 ... Open


^^
HTTP/1.1 400 Bad Request
Date: Tue, 19 Jan 2010 10:45:16 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

I implemented the NAT on R0

R2#telnet 10.1.100.1 8080
Trying 10.1.100.1, 8080 ...
% Connection timed out; remote host not responding

R2#
R2#
R2#telnet 10.1.100.1 80 
Trying 10.1.100.1, 80 ... Open

^^xx
HTTP/1.1 400 Bad Request
Date: Tue, 19 Jan 2010 10:46:28 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

R0#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.1.100.1:80      10.1.100.1:8080    ---                ---
R0#

Regards

Edison

Edit: If you want to use this router for internet NAT, you can change the outside|inside designation on the interfaces and also change the command from

ip nat inside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

to

ip nat outside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

Message was edited by: Edison Ortiz

jmprats Fri, 01/22/2010 - 01:10

Ok, that's fine.

But now I am not able to redirect traffic to that external server. I'm testing with PBR next-hop  but it seems that is taking the default-route.

The proxy is on the Internet, is not directly connected to my network. I do not know if the next-hop has to indicate an ip directly connected or not.

Thanks

jmprats Mon, 01/25/2010 - 02:49

ok, but i'd like to control  at network level. Do you know if there is a command to send traffic through an specific internet router? Do you know if with next-hop command you can only set a directly connected router?
Thanks

jmprats Wed, 01/27/2010 - 01:38

My router (2600) doesn't support it. Thanks anyway. Maybe it's time to renew

Actions

This Discussion

Related Content