cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2009
Views
5
Helpful
6
Replies

Cisco 3750 to squid routing not working

ahmedeyaadh
Level 1
Level 1

Report Post

                      1 Minute Ago                                                                                                                      hello,

I am using a cisco 3750 in my network as a gateway, and above it I use a  squid machine for caching my internet. My network is like this:

Basically I have two VLANs on my network which are VLAN10 and VLAN100,  VLAN10 is the cooperate network of my office. VLAN100 is the management  VLAN which i use for the switches. I keep the squid as well the client  in VLAN10.

squid (192.168.1.50)---->cisco 3750(192.168.1.123)---->Distribution Switch(cisco 2960)---->client PC (192.168.1.5)

I have done nating on squid and internet is working pretty fine when I  use the client gateway as the squid, but when I use the cisco 3750 as my  gateway after adding route maps for forwarding the internet traffic  coming to the cisco 3750 to squid it disconnects me from internet as  well I cannot even reach the switches from the corporate network. These  are the only Lines I used for the routing:

!

route-map proxy-redirect permit 10

match ip address 110

set ip next-hop 192.168.1.50

!

access-list 110 deny   tcp any any neq www

access-list 110 deny   tcp host 192.168.1.50 any

access-list 110 permit tcp any any

!

interface Vlan999

ip address 192.168.1.123 255.255.255.0

no ip proxy-arp

ip policy route-map internet

!

can any one help me please, where have I gone wrong?

2 Accepted Solutions

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

can you try this as ACL:

access-list 110 permit tcp any any eq www

access-list 110 permit tcp an any eq https

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

try this..

access-list 101 extended permit ip any any eq 80

access-list 101 extended permit ip any any eq 443

80 = HTTP | 443 = HTTPS

View solution in original post

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

can you try this as ACL:

access-list 110 permit tcp any any eq www

access-list 110 permit tcp an any eq https

Regards.

Alain

Don't forget to rate helpful posts.

We have something like this for are wireless internet users. We have a route-map configured on one of are two wireless vlans to go to a zscaler ip address. I agree with cadet 100% I'm not sure what the deneis are there for, but adding cadet's ACL should do the trick. That way any source going to HTTP/HTTPS will be forwarded to your squid proxy.

hi cadet alain,

Thanks alot for a fast reply....

I have tried the acl but here is the issue I have;

core(config)#access-list 110 permit tcp any any eq https

                                                    ^

% Invalid input detected at '^' marker.

also I would like to correct a mistake I did while typing in the post here, I been trying the whole thing for a whole damn week now and had all my works saved on a notepad, while copying I miss copied the wrong route map here in the post actually its

!

route-map internet permit 10

match ip address 110

set ip next-hop 192.168.1.50

!

even though both of the route maps do the same thing I had a bad feeling that you may miss understand my concern here, please can someone help me.....

try this..

access-list 101 extended permit ip any any eq 80

access-list 101 extended permit ip any any eq 443

80 = HTTP | 443 = HTTPS

It works like charm now

here are the acl's and the route map I have used

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq 443

access-list 110 deny   tcp any any neq www

route-map internet permit 10

match ip address 110

set ip next-hop 192.168.1.21

I am just curious to know why did it previously disallowed all my pings to the switch as well I wasnt even able to connect over it using either ssh or telnet :| what could have done that????

Well, when you first had everything setup, you will blocking any source to

any destination on port 80, as well as denying host 192.168.1.50 to any

destination, But permitting everything else. So anything sent to the 3750

via HTTP would be blocked. As far as pinging the 3750, you should have been

able to ping the switch since I dont see anything that was blocking ICMP.

Everything appears to be in the 192.168.1.0/24 network from what I can see.

It should have ARPd for 192.168.1.123 so I'm not sure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: