cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1501
Views
4
Helpful
6
Replies

Policy based routing.

Dear i have some doubts

I have two isp and connected to core switch and in core switch i connected bluecoat for proxy.   And I have 8 vlans.

The issue is that i need to block internet without proxy, if any one want to access internet it should goes through bluecoat.

things i have ====   vlan 2 in bluecoat.

                              vlan 1 are management vlan

                              Other vlans are users and servers guest.

and i have BVI interface in router and i am using two bvi interface.

i was done route map like this

ip access-list extended NO_PROXY
permit tcp any any eq www
permit tcp any any eq 443


# route-map LOCAL_ACCESS permit 10
   match ip address NO_PROXY
   set ip next hop "Bluecoat IP" 192.168.1.10


# assign on interface local:::::::::::

    Interface BVI1
   ip policy route-map LOCAL_ACCESS

can you help to block internet traffic with proxy, it has to go through proxy only.

regards,

1 Accepted Solution

Accepted Solutions

Hello mr ....,

if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you  can simply use extended ACLs applied inbound on each L3 interface facing clients

access-list 111 permit tcp any host proxy-ip eq 80

access-list 111 deny tcp any any eq 80

access-list 111 permit tcp any host proxy-ip eq 443

access-list 111 deny tcp any any eq 443

access-list 111 permit ip any any

int Vlan X

ip access-group 111 in

do it on all client facing L3 interfaces

Hope to help

Giuseppe

View solution in original post

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

you need to apply the PBR rule on each client Vlan (and server vlan if desired/needed) as PBR works only on traffic received by the device

by doing so instead of blocking attempts to go directly to the internet you are redirecting traffic to the proxy.

Also users might be configured to use a DNS server that replies to each DNS request for internet servers with proxy IP address.

a different tool you can use is WCCP but it would need to be configured also on the web cache /proxy

Hope to help

Giuseppe

no i am not using wccp.  i am using explicit proxy.  so how i can do it.

Hello mr ....,

if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you  can simply use extended ACLs applied inbound on each L3 interface facing clients

access-list 111 permit tcp any host proxy-ip eq 80

access-list 111 deny tcp any any eq 80

access-list 111 permit tcp any host proxy-ip eq 443

access-list 111 deny tcp any any eq 443

access-list 111 permit ip any any

int Vlan X

ip access-group 111 in

do it on all client facing L3 interfaces

Hope to help

Giuseppe

Dear Friend,

         i will try this and update you thanks a lot .

Hi thanks a lot its working but before i was send proxy through bluecoat "proxy.pac" file.  But this file is not working when i was using extended access list.

is thier any way just to open this complete bluecoat IP.

Hello Mrsystemengineer,

>> send proxy through bluecoat "proxy.pac" file

interesting side effect

>> s thier any way just to open this complete bluecoat IP.

this is possible with an ACL line like

access-list 111 permit ip any host

you should verify what exactly is exchanged between a client and the bluecoat to send the proxy.pac file, opening all the IP can be a solution but it can be too much from a security point of view

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: