Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
7
Replies

Cisco 2921 destination NAT for transparent proxy

Jordan Dalley
Level 1
Level 1

‎09-30-2014 04:16 AM - edited ‎03-04-2019 11:51 PM

Hi All,

I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.

In iptables its easy:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>

I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.

So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.

The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).

Any ideas guys? I'm stuck.

Cheers,
Jordan.

Labels:
0 Helpful
7 Replies 7

Jordan Dalley
Level 1
Level 1

‎09-30-2014 05:30 PM

From what I can understand, ASA's can do it. Not sure about routers though.

 

Anyone? :)

0 Helpful

campbech1
Level 1
Level 1

‎09-30-2014 09:04 PM

Sounds like you need a route-map to change the next IP hop?

This would be the best way to do it which will also verify the remote proxy server is available as well.

 

ip sla monitor 1

type echo protocol ipIcmpEcho <ip address of your proxy server>

timeout 3000

frequency 3

ip sla monitor schedule 1 life forever start-time now

!

track 123 rtr 1 reachability

!

interface FastEthernet0/1

ip address <x.x.x.x x.x.x.x>

ip policy route-map REDIRECT-TO-PROXY

!

ip access-list extended webtraffic

! Deny traffic from your proxy server from redirecting

  deny tcp host <ip address of your proxy server> any eq www

  deny tcp host <ip address of your proxy server> any eq https

  permit tcp <your ip network> <subnet mask> any eq www

  permit tcp <your ip network> <subnet mask> any eq https

!

route-map REDIRECT-TO-PROXY permit 10

match ip address webtraffic

set ip next-hop verify-availability <ip address of your proxy server> 1 track 123

 

If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:

Here is how my router is configured.

interface FastEthernet0/0
 ip address dhcp hostname home-rtr-1
 ip nat outside
!
interface FastEthernet0/1
 ip address 10.235.x.x 255.255.255.252
 ip nat inside

ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit <your ip network> <your ip subnet>

 

HTH

0 Helpful

Jordan Dalley
Level 1
Level 1
In response to campbech1

‎09-30-2014 09:28 PM

Hi There,

I appreciate the reply, but I think my issue may be slightly different in that the proxy I want to forward requests to is not in an adjacent subnet to the router.

I have done much the same thing as to what you've described above, where I PBR port 80 and 443 traffic off to a Linux box with iptables in a directly accessible subnet, which then in turn does all the tricky packet modifications to change the destination IP etc. I might note also, that the linux box in question is not the proxy server, it is simply just rewriting the destination ip address of any web requests to a remote proxy. It works well.

I'm just wondering if I need to bother about having that Linux box to do the NAT stuff if the Cisco can do it for me. The proxy in question is in the cloud, so it's not like I can hand directly off to it.

The only other option i've seen is GRE as this can attach remote proxies as directly routable.

Cheers,
Jordan.

0 Helpful

campbech1
Level 1
Level 1
In response to Jordan Dalley

‎09-30-2014 09:28 PM

Sorry, I didn't catch that it was off-site. I don't have any experiences with connecting to an off-site proxy. We handle all of our proxies through WCCP. 

0 Helpful

campbech1
Level 1
Level 1

‎09-30-2014 09:23 PM

Also, does this proxy support WCCP? That might be an even easier connection to the proxy.

0 Helpful

Jordan Dalley
Level 1
Level 1
In response to campbech1

‎09-30-2014 09:24 PM

No, the proxy doesn't support WCCP unfortunately. This would be ideal.

0 Helpful

msbachman
Level 1
Level 1

‎12-12-2014 12:11 PM

I was looking for a similar solution...

Have you tried this?

Cisco IOS Destination-NAT

http://blog.lemieuxnc.net/2010/09/cisco-ios-destination-nat.html

 

I was able to use it to reroute DNS requests from a client 10.1.1.1 that was using server 192.168.1.1 and redirect the lookups to a diffrent dns server 192.168.1.2

 

eg

pc 10.1.1.1 --------------------------10.0.0.1 router 192.168.0.1 ------------------------ dns server 192.168.1.1

w/ dns set to use 192.168.1.1                                                                                  dns server 192.168.1.2

 

 
router .........
interface f0
ip address 10.0.0.1   255.255.255.0
ip nat inside
 
interface f1
ip address 192.168.0.1 255.255.255.0
ip nat outside
 
ip nat outside source static udp 192.168.1.2  53  192.168.1.1 53 
 
 
Hope that helps
-mike brentlinger
msbrentlinger@gmail.com
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card