Have a firewall set up with Filtered HTTP traffic - if you're IP is not in the list, you don't get through on that port. Proxy servers are set up with internal interface of firewall as default gateway. All users on network minus IT professionals are set up to access internet via Proxy servers. Firewall internal interface in same subnet as private IP scheme. External interface IP on public range connected to external router to DS3.

Currently, old Bay (Nortel) router set up with gateway of last resort as internal interface of firewall. Only IP's in the list on the firewall can bypass proxies - this is working perfectly.

When I switch over the router to our new CISCO 3700 series (set up identically to the Bay Router) and set up the gateway of last resort as the internal interface of the firewall, ALL IP addresses can bypass the proxy server whether in the list or not. Without gateway of last resort, access is only possible via proxy server input in internet settings.

The only difference in looking in configuration is that the Bay router has an additional entry in the gateway of last resort for Next-Hop Subnet Mask and this option is not available on the 3700.

Any thoughts on how to get all non-local HTTP traffic to be sent to the internal interface of the firewall for lookup in the filtered http table (via a static route, tables, etc.)? When data is sent from the router, is the original sender's IP located in the packet or does the router's IP mask that as its own? What sort of setting would allow one router to use the firewall correctly and the other let everything through?