11-24-2011 03:22 PM - edited 03-07-2019 03:35 AM
1 Minute Ago hello,
I am using a cisco 3750 in my network as a gateway, and above it I use a squid machine for caching my internet. My network is like this:
Basically I have two VLANs on my network which are VLAN10 and VLAN100, VLAN10 is the cooperate network of my office. VLAN100 is the management VLAN which i use for the switches. I keep the squid as well the client in VLAN10.
squid (192.168.1.50)---->cisco 3750(192.168.1.123)---->Distribution Switch(cisco 2960)---->client PC (192.168.1.5)
I have done nating on squid and internet is working pretty fine when I use the client gateway as the squid, but when I use the cisco 3750 as my gateway after adding route maps for forwarding the internet traffic coming to the cisco 3750 to squid it disconnects me from internet as well I cannot even reach the switches from the corporate network. These are the only Lines I used for the routing:
!
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop 192.168.1.50
!
access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 192.168.1.50 any
access-list 110 permit tcp any any
!
interface Vlan999
ip address 192.168.1.123 255.255.255.0
no ip proxy-arp
ip policy route-map internet
!
can any one help me please, where have I gone wrong?
Solved! Go to Solution.
11-25-2011 01:10 AM
Hi,
can you try this as ACL:
access-list 110 permit tcp any any eq www
access-list 110 permit tcp an any eq https
Regards.
Alain
11-25-2011 04:11 PM
try this..
access-list 101 extended permit ip any any eq 80
access-list 101 extended permit ip any any eq 443
80 = HTTP | 443 = HTTPS
11-25-2011 01:10 AM
Hi,
can you try this as ACL:
access-list 110 permit tcp any any eq www
access-list 110 permit tcp an any eq https
Regards.
Alain
11-25-2011 04:26 AM
We have something like this for are wireless internet users. We have a route-map configured on one of are two wireless vlans to go to a zscaler ip address. I agree with cadet 100% I'm not sure what the deneis are there for, but adding cadet's ACL should do the trick. That way any source going to HTTP/HTTPS will be forwarded to your squid proxy.
11-25-2011 03:51 PM
hi cadet alain,
Thanks alot for a fast reply....
I have tried the acl but here is the issue I have;
core(config)#access-list 110 permit tcp any any eq https
^
% Invalid input detected at '^' marker.
also I would like to correct a mistake I did while typing in the post here, I been trying the whole thing for a whole damn week now and had all my works saved on a notepad, while copying I miss copied the wrong route map here in the post actually its
!
route-map internet permit 10
match ip address 110
set ip next-hop 192.168.1.50
!
even though both of the route maps do the same thing I had a bad feeling that you may miss understand my concern here, please can someone help me.....
11-25-2011 04:11 PM
try this..
access-list 101 extended permit ip any any eq 80
access-list 101 extended permit ip any any eq 443
80 = HTTP | 443 = HTTPS
11-25-2011 04:30 PM
It works like charm now
here are the acl's and the route map I have used
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 110 deny tcp any any neq www
route-map internet permit 10
match ip address 110
set ip next-hop 192.168.1.21
I am just curious to know why did it previously disallowed all my pings to the switch as well I wasnt even able to connect over it using either ssh or telnet :| what could have done that????
11-25-2011 05:01 PM
Well, when you first had everything setup, you will blocking any source to
any destination on port 80, as well as denying host 192.168.1.50 to any
destination, But permitting everything else. So anything sent to the 3750
via HTTP would be blocked. As far as pinging the 3750, you should have been
able to ping the switch since I dont see anything that was blocking ICMP.
Everything appears to be in the 192.168.1.0/24 network from what I can see.
It should have ARPd for 192.168.1.123 so I'm not sure.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: