Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

External Caching Proxy Server

hello,

I have installed Squid caching proxy server in my trusted site. I just want that when someone requests a web site from trusted, firewall send request to Squid. And noone, except Squid server, will use HTTP for webpage request. How can I do that? Is it possible on PIX.(Pix 515 xith 6.22 software, PDM 2.11)

thanx....

2 REPLIES
Anonymous
N/A

Re: External Caching Proxy Server

I do not believe that the PIX supports proxy redirection. Cisco routers support that via a propietary protocol, wccp, but I do not believe that functionality has been added to the PIX. Either way, the wccp is propietary and would not work with your squid server. The best way to accomplish may be to point all of your trusted clients to this proxy server and then deny all outgoing web traffic on the PIX except from the squid server. In other workds, the only machine on oyur network able to access web pages will be the squid server.

Kevin

Cisco Employee

Re: External Caching Proxy Server

All you really need to do here is make sure that any packets that come into your PIX on port 80 are redirected to the internal squid server. The squid server is the one doing the proxying, not the PIX, correct? There's only going to be a specific IP address that requests are going to come in on, so just portmap that to your internal squid server.

For example, let's say HTTP requests will come into your PIX at 209.1.2.3, and your squid server is on the inside interface at 10.1.1.1. All you need to do is the following:

> static (inside,outside) tcp 209.1.2.3 80 10.1.1.1 80 netmask 255.255.255.255 0 0

The PIX will send the HTTP traffic to the squid server and the squid server should do the rest. You'll run into trouble however if HTTP requests are coming into your PIX at more than one IP address (let's say 209.1.2.7 also). You can't portmap the same port number to the same host, so you'd have to do something like the following:

> static (inside,outside) tcp 209.1.2.7 8000 10.1.1.1 8000 netmask 255.255.255.255 0 0

which would require your users knowing that they have to connect on port 8000 when going to 209.1.2.7, plus being able to have the squid server listen on port 8000. Again though, this is only if you have connections coming in on more than one IP address.

178
Views
0
Helpful
2
Replies
CreatePlease to create content