Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

Fun with Proxies, route-maps and NAT

ianpointer
Level 1
Level 1

‎03-22-2006 06:10 AM

Hi, a bit of a weird setup here. We have four sites, which we'd ideally all like to go to one central site for web blocking/proxying. We're using route-maps to redirect the traffic to a squid server in the central site.

It works fine in the central site, but no other site's traffic is being redirected. All of the 837 routers are using NAT, and the next-hop address in the route-map is to a NATed address on the central site - could this be the problem? Or am I asking too much of the route-map facility?

Here's a sample of the access-list and routemap setup:

interface Ethernet0

ip address 10.0.1.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip inspect myfw in

ip tcp adjust-mss 1350

ip policy route-map proxy

no cdp enable

hold-queue 100 out

!

access-list 10 remark Admin Networks

access-list 10 permit 10.0.4.2

access-list 100 permit esp host central host xxx

access-list 100 permit udp host central host xxx eq isakmp

access-list 100 permit gre host central host xxx

access-list 100 permit tcp host central host xxx eq 15868

access-list 100 permit tcp host central host xxx eq www

access-list 100 permit ip 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 100 permit icmp 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 100 permit icmp any any echo-reply

access-list 100 permit ip any any

access-list 101 remark NAT information

access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

access-list 122 permit ip 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255

access-list 122 permit icmp 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255

access-list 190 permit tcp any any eq www

dialer-list 1 protocol ip permit

route-map proxy permit 10

match ip address 190

set ip next-hop 10.0.4.207

!

(access-list 100 is applied to Dialer1 coming in, ccess-list 122 goes over a VPN tunnel).

I'm rather new to Cisco routers; these configs weren't set up by me, so be gentle ;). Thanks!

Labels:
0 Helpful
1 Reply 1

ebreniz
Level 6
Level 6

‎03-28-2006 07:45 AM

The "next-hop" address must be the address reachable by the central site. NATed IP address as next-hop does not make any sense to me. NATed address is only for the user traffic travelling between the NAT interfaces.

0 Helpful
Customers Also Viewed These Support Documents