09-13-2006 05:17 AM - edited 03-03-2019 05:00 AM
Hi i want to set up the following:
I want to permit www traffic from an inside network to the internet, but i want to rederect the traffic through an proxy for traffic filtering.
I tryed a lott of config's like, nat, route-map's ........ect.
Is there any one with the solution.
I can find a lott of configs for incomming traffic. but no one for outgoing traffic.
I not only want to set it up for http but also for mail.
So mail traffic going through an mail gateway so mail can be scanned before send to the outside world.
Little setup:
www raffic coming from network: 10.34.0.0 255.255.0.0 must be forwarded to proxy 192.168.18.250 and then send to outside.
So traffic for port 80 must be rerouted to 192.168.18.250 and all other traffic must be normal routed.
Any help is very welkom.
Greatings Marc
09-13-2006 05:46 AM
Hello Marc,
a route-map matching the traffic you want to redirect should actually work. Not sure what you have already tried, but take a look at the following config:
interface FastEthernet0/0
ip address 10.34.1.0 255.255.0.0
ip policy route-map HTTP_MAIL_OUT
!
route-map HTTP_MAIL_OUT permit 10
match ip address 101
set ip next-hop 192.168.18.250
!
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
The proxy server then must route the traffic out to the Internet.
Can you give this a try ?
Regards,
GNT
09-13-2006 05:52 AM
Marc,
PBR (Policy Based Routing) is your solution. Sample config:
interface fa0/0
ip address 10.34.0.1 255.255.0.0
ip policy wwwmail
route-map wwwmail permit 10
match ip address 101
set ip next-hop [proxy server]
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 110
_____
Please rate helpful posts.
Thanks
09-13-2006 08:19 AM
Hi there.
Yes i thought so.
But it did not work.......
This is the log file saying:
*Sep 11 14:55:19.079: CEF-IP-POLICY: fib for address 192.168.17.249 is with flag 0
*Sep 11 14:55:19.079: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, g=192.168.17.249, len 48, FIB policy routed
*Sep 11 14:55:21.999: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, len 48, FIB policy match
so he is forwarding the in this case port 25 traffic to next hop adres 192.168.17.249.
But nothing is arriving at the mail forwarder. I can ping the mail forwarder so routing is not the problem.
Grtz. Marc
09-13-2006 08:37 AM
Marc,
Can you tell us a little more about device (192.168.17.249) ?
A little diagram from your network can also help.
From the log, the packet is being policy routed.
09-14-2006 03:17 AM
09-14-2006 04:15 AM
Hello,
can you post the configuration of your router, including the route map you have configured ?
Regards,
GNT
09-14-2006 04:57 AM
Ok here it is.
I have made some progress. Now at least i can see that the traffic is routed to the next-hop adres:
*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=64.233.183.99, len 48, FIB policy match
*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=64.233.183.99, g=192.168.18.250, len 48, FIB policy routed
*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, len 48, FIB policy match
*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, g=192.168.17.249, len 48, FIB policy routed
Whe can see at the mail gateway traffic is arriving but he say's: only an connection, but no message's transferred.
I can't see what the problem is.
grzt Marc
09-14-2006 06:41 AM
Marc,
The mail gateway has a route back to your network ?
09-14-2006 08:41 AM
Yes i can ping the mailgateway from the host and all other hosts in the network.
When i fill in the mailgateway in the mail client i can send out mail with no problem.
As i tolled before i use the same rules for an proxy forwarding, and that traffic i can see in de firewall logging that the host try to connect to the internet without going to the proxy.
Again when i fill in the proxy adres in my browser i can connect to the internet.
Grzt. Marc
09-14-2006 10:03 AM
I don't know much about your mail application but perhaps the client/server connection requires the client to have the server ip address somewhere in the ip header ?
09-14-2006 10:48 AM
Ok, i think in that way also.
But how do i get it there ?
The mail gateway is an symantec anti virus server with mail forwarding.
So noting exotic, so i think more people have the same problem ?
Grzt marc
09-14-2006 10:54 AM
Marc,
How about entering the server information on the clients ?
I mean, that's how most client/server applications work. You need to enter the server information on the client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: