Re: Outgoing http traffic through inside proxy

mnieuwendijk · ‎09-13-2006

Hi i want to set up the following:

I want to permit www traffic from an inside network to the internet, but i want to rederect the traffic through an proxy for traffic filtering.

I tryed a lott of config's like, nat, route-map's ........ect.

Is there any one with the solution.

I can find a lott of configs for incomming traffic. but no one for outgoing traffic.

I not only want to set it up for http but also for mail.

So mail traffic going through an mail gateway so mail can be scanned before send to the outside world.

Little setup:

www raffic coming from network: 10.34.0.0 255.255.0.0 must be forwarded to proxy 192.168.18.250 and then send to outside.

So traffic for port 80 must be rerouted to 192.168.18.250 and all other traffic must be normal routed.

Any help is very welkom.

Greatings Marc

globalnettech · ‎09-13-2006

Hello Marc,

a route-map matching the traffic you want to redirect should actually work. Not sure what you have already tried, but take a look at the following config:

interface FastEthernet0/0

ip address 10.34.1.0 255.255.0.0

ip policy route-map HTTP_MAIL_OUT

!

route-map HTTP_MAIL_OUT permit 10

match ip address 101

set ip next-hop 192.168.18.250

!

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

The proxy server then must route the traffic out to the Internet.

Can you give this a try ?

Regards,

GNT

Edison Ortiz · ‎09-13-2006

Marc,

PBR (Policy Based Routing) is your solution. Sample config:

interface fa0/0

ip address 10.34.0.1 255.255.0.0

ip policy wwwmail

route-map wwwmail permit 10

match ip address 101

set ip next-hop [proxy server]

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any eq 110

_____

Please rate helpful posts.

Thanks

mnieuwendijk · ‎09-13-2006

Hi there.

Yes i thought so.

But it did not work.......

This is the log file saying:

*Sep 11 14:55:19.079: CEF-IP-POLICY: fib for address 192.168.17.249 is with flag 0

*Sep 11 14:55:19.079: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, g=192.168.17.249, len 48, FIB policy routed

*Sep 11 14:55:21.999: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, len 48, FIB policy match

so he is forwarding the in this case port 25 traffic to next hop adres 192.168.17.249.

But nothing is arriving at the mail forwarder. I can ping the mail forwarder so routing is not the problem.

Grtz. Marc

Edison Ortiz · ‎09-13-2006

Marc,

Can you tell us a little more about device (192.168.17.249) ?

A little diagram from your network can also help.

From the log, the packet is being policy routed.

mnieuwendijk · ‎09-14-2006

Hi.

The 192.168.17.249 is an symantec mail gateway.

An netwerk diagram is included.

Grtz

globalnettech · ‎09-14-2006

Hello,

can you post the configuration of your router, including the route map you have configured ?

Regards,

GNT

mnieuwendijk · ‎09-14-2006

Ok here it is.

I have made some progress. Now at least i can see that the traffic is routed to the next-hop adres:

*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=64.233.183.99, len 48, FIB policy match

*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=64.233.183.99, g=192.168.18.250, len 48, FIB policy routed

*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, len 48, FIB policy match

*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=195.85.130.75, g=192.168.17.249, len 48, FIB policy routed

Whe can see at the mail gateway traffic is arriving but he say's: only an connection, but no message's transferred.

I can't see what the problem is.

grzt Marc

Edison Ortiz · ‎09-14-2006

Marc,

The mail gateway has a route back to your network ?

mnieuwendijk · ‎09-14-2006

Yes i can ping the mailgateway from the host and all other hosts in the network.

When i fill in the mailgateway in the mail client i can send out mail with no problem.

As i tolled before i use the same rules for an proxy forwarding, and that traffic i can see in de firewall logging that the host try to connect to the internet without going to the proxy.

Again when i fill in the proxy adres in my browser i can connect to the internet.

Grzt. Marc

Edison Ortiz · ‎09-14-2006

I don't know much about your mail application but perhaps the client/server connection requires the client to have the server ip address somewhere in the ip header ?

mnieuwendijk · ‎09-14-2006

Ok, i think in that way also.

But how do i get it there ?

The mail gateway is an symantec anti virus server with mail forwarding.

So noting exotic, so i think more people have the same problem ?

Grzt marc

Edison Ortiz · ‎09-14-2006

Marc,

How about entering the server information on the clients ?

I mean, that's how most client/server applications work. You need to enter the server information on the client.