Hi i want to set up the following:
I want to permit www traffic from an inside network to the internet, but i want to rederect the traffic through an proxy for traffic filtering.
I tryed a lott of config's like, nat, route-map's ........ect.
Is there any one with the solution.
I can find a lott of configs for incomming traffic. but no one for outgoing traffic.
I not only want to set it up for http but also for mail.
So mail traffic going through an mail gateway so mail can be scanned before send to the outside world.
www raffic coming from network: 10.34.0.0 255.255.0.0 must be forwarded to proxy 192.168.18.250 and then send to outside.
So traffic for port 80 must be rerouted to 192.168.18.250 and all other traffic must be normal routed.
Any help is very welkom.
a route-map matching the traffic you want to redirect should actually work. Not sure what you have already tried, but take a look at the following config:
ip address 10.34.1.0 255.255.0.0
ip policy route-map HTTP_MAIL_OUT
route-map HTTP_MAIL_OUT permit 10
match ip address 101
set ip next-hop 192.168.18.250
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
The proxy server then must route the traffic out to the Internet.
Can you give this a try ?
PBR (Policy Based Routing) is your solution. Sample config:
ip address 10.34.0.1 255.255.0.0
ip policy wwwmail
route-map wwwmail permit 10
match ip address 101
set ip next-hop [proxy server]
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 110
Please rate helpful posts.
Yes i thought so.
But it did not work.......
This is the log file saying:
*Sep 11 14:55:19.079: CEF-IP-POLICY: fib for address 192.168.17.249 is with flag 0
*Sep 11 14:55:19.079: IP: s=10.34.15.200 (FastEthernet0/0), d=22.214.171.124, g=192.168.17.249, len 48, FIB policy routed
*Sep 11 14:55:21.999: IP: s=10.34.15.200 (FastEthernet0/0), d=126.96.36.199, len 48, FIB policy match
so he is forwarding the in this case port 25 traffic to next hop adres 192.168.17.249.
But nothing is arriving at the mail forwarder. I can ping the mail forwarder so routing is not the problem.
Can you tell us a little more about device (192.168.17.249) ?
A little diagram from your network can also help.
From the log, the packet is being policy routed.
Ok here it is.
I have made some progress. Now at least i can see that the traffic is routed to the next-hop adres:
*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=188.8.131.52, len 48, FIB policy match
*Sep 14 12:51:55.787: IP: s=10.34.15.200 (FastEthernet0/0), d=184.108.40.206, g=192.168.18.250, len 48, FIB policy routed
*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=220.127.116.11, len 48, FIB policy match
*Sep 14 12:51:59.171: IP: s=10.34.15.200 (FastEthernet0/0), d=18.104.22.168, g=192.168.17.249, len 48, FIB policy routed
Whe can see at the mail gateway traffic is arriving but he say's: only an connection, but no message's transferred.
I can't see what the problem is.
Yes i can ping the mailgateway from the host and all other hosts in the network.
When i fill in the mailgateway in the mail client i can send out mail with no problem.
As i tolled before i use the same rules for an proxy forwarding, and that traffic i can see in de firewall logging that the host try to connect to the internet without going to the proxy.
Again when i fill in the proxy adres in my browser i can connect to the internet.
I don't know much about your mail application but perhaps the client/server connection requires the client to have the server ip address somewhere in the ip header ?
Ok, i think in that way also.
But how do i get it there ?
The mail gateway is an symantec anti virus server with mail forwarding.
So noting exotic, so i think more people have the same problem ?
How about entering the server information on the clients ?
I mean, that's how most client/server applications work. You need to enter the server information on the client.