Cisco 3750 to squid routing not working

Answered Question
Nov 24th, 2011

Report Post

                      1 Minute Ago                                                                                                                      hello,

I am using a cisco 3750 in my network as a gateway, and above it I use a  squid machine for caching my internet. My network is like this:

Basically I have two VLANs on my network which are VLAN10 and VLAN100,  VLAN10 is the cooperate network of my office. VLAN100 is the management  VLAN which i use for the switches. I keep the squid as well the client  in VLAN10.

squid (192.168.1.50)---->cisco 3750(192.168.1.123)---->Distribution Switch(cisco 2960)---->client PC (192.168.1.5)

I have done nating on squid and internet is working pretty fine when I  use the client gateway as the squid, but when I use the cisco 3750 as my  gateway after adding route maps for forwarding the internet traffic  coming to the cisco 3750 to squid it disconnects me from internet as  well I cannot even reach the switches from the corporate network. These  are the only Lines I used for the routing:

!

route-map proxy-redirect permit 10

match ip address 110

set ip next-hop 192.168.1.50

!

access-list 110 deny   tcp any any neq www

access-list 110 deny   tcp host 192.168.1.50 any

access-list 110 permit tcp any any

!

interface Vlan999

ip address 192.168.1.123 255.255.255.0

no ip proxy-arp

ip policy route-map internet

!

can any one help me please, where have I gone wrong?

I have this problem too.
0 votes
Correct Answer by JohnTylerPearce about 3 years 4 months ago

try this..

access-list 101 extended permit ip any any eq 80

access-list 101 extended permit ip any any eq 443

80 = HTTP | 443 = HTTPS

Correct Answer by cadet alain about 3 years 4 months ago

Hi,

can you try this as ACL:

access-list 110 permit tcp any any eq www

access-list 110 permit tcp an any eq https

Regards.

Alain

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Correct Answer
cadet alain Fri, 11/25/2011 - 01:10

Hi,

can you try this as ACL:

access-list 110 permit tcp any any eq www

access-list 110 permit tcp an any eq https

Regards.

Alain

JohnTylerPearce Fri, 11/25/2011 - 04:26

We have something like this for are wireless internet users. We have a route-map configured on one of are two wireless vlans to go to a zscaler ip address. I agree with cadet 100% I'm not sure what the deneis are there for, but adding cadet's ACL should do the trick. That way any source going to HTTP/HTTPS will be forwarded to your squid proxy.

ahmedeyaadh Fri, 11/25/2011 - 15:51

hi cadet alain,

Thanks alot for a fast reply....

I have tried the acl but here is the issue I have;

core(config)#access-list 110 permit tcp any any eq https

                                                    ^

% Invalid input detected at '^' marker.

also I would like to correct a mistake I did while typing in the post here, I been trying the whole thing for a whole damn week now and had all my works saved on a notepad, while copying I miss copied the wrong route map here in the post actually its

!

route-map internet permit 10

match ip address 110

set ip next-hop 192.168.1.50

!

even though both of the route maps do the same thing I had a bad feeling that you may miss understand my concern here, please can someone help me.....

Correct Answer
JohnTylerPearce Fri, 11/25/2011 - 16:11

try this..

access-list 101 extended permit ip any any eq 80

access-list 101 extended permit ip any any eq 443

80 = HTTP | 443 = HTTPS

ahmedeyaadh Fri, 11/25/2011 - 16:30

It works like charm now

here are the acl's and the route map I have used

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq 443

access-list 110 deny   tcp any any neq www

route-map internet permit 10

match ip address 110

set ip next-hop 192.168.1.21

I am just curious to know why did it previously disallowed all my pings to the switch as well I wasnt even able to connect over it using either ssh or telnet :| what could have done that????

JohnTylerPearce Fri, 11/25/2011 - 17:01

Well, when you first had everything setup, you will blocking any source to

any destination on port 80, as well as denying host 192.168.1.50 to any

destination, But permitting everything else. So anything sent to the 3750

via HTTP would be blocked. As far as pinging the 3750, you should have been

able to ping the switch since I dont see anything that was blocking ICMP.

Everything appears to be in the 192.168.1.0/24 network from what I can see.

It should have ARPd for 192.168.1.123 so I'm not sure.

Actions

Login or Register to take actions

This Discussion

Posted November 24, 2011 at 3:22 PM
Stats:
Replies:6 Overall Rating:5
Views:920 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard

Rank Username Points
1
Jon Marshall
16,857
2
Reza Sharifi
9,379
3
Giuseppe Larosa
8,202
4
Leo Laohoo
7,684
5
Peter Paluch
7,654
Rank Username Points
Jon Marshall
474
Joseph W. Doherty
141
Reza Sharifi
105
Leo Laohoo
98
Peter Paluch
71