Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redirect web traffic to external proxy in a specific port

Hi, I want to redirect internal web traffic (browsing) to an external web server for Web, Virus and Spyware filtering. Those externals proxies are running in 8080 port. I have one ASA firewall and a Cisco 2600 router. I was thinking in doing PBR in the router but in the next hop I can only set one IP, not an IP and a port.

So how can I redirect web traffic to an external proxy listening in 8080 port?

Thanks

Everyone's tags (2)
13 REPLIES

Re: Redirect web traffic to external proxy in a specific port

Hi,

In your PBR, match tcp port 8080 and set the nexthop accordingly, bellow is an example:

route-map PBR permit 10

match ip address 100

set ip next-hop x.x.x.x

access-list 100 permit tcp any any eq 8080

HTH

Mohamed

New Member

Re: Redirect web traffic to external proxy in a specific port

No, I need to redirect web (port 80) traffic to an external proxy server listening in 8080. Not 8080 traffic to an external server. Do you understand?

Thanks

New Member

you need "GRE tunnel" between

you need "GRE tunnel" between ur proxy and ur  router

and then u can use PBR  next hop.

 

regards

 

New Member

i belive that on cisco

i belive that on cisco routers we cant  nat the destination ,

we just can nat the source

i dont know cisco why it dontdo that !! , it do that on ASA firewalls

but i found that linux can do both (src ,dst) nat !!

regards

Re: Redirect web traffic to external proxy in a specific port

Hi,

you will need to modify the Access-list to:

access-list 100 permit tcp any any eq www

Regarding the proxy, it should be listining on port 80 as well so that the traffic gets to it.


You dont need additional config, if the proxy is listining on port 80

HTH

Mohamed

New Member

Re: Redirect web traffic to external proxy in a specific port

Yes, but the proxy is an external server and is listening in port 8080. I can't change the port where it is listening

Hall of Fame Super Bronze

Re: Redirect web traffic to external proxy in a specific port

You can use static NAT.

On the router, configure the following:

ip nat inside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

where the proxy IP address doesn't change, just the TCP port.

On the interface towards the Proxy server, you need ip nat inside

On the interface towards the clients, you need ip nat outside

Be aware, you can't perform internet NAT on this device and the ASA can be used for internet NAT for your network.

I did a quick lab to test this concept:

R2 (acting as client) <------>R0 (acting as NAT router)<----->R1(acting as proxy listening on port 8080).

R1:

R1#sh run | i http
ip http server
ip http port 8080
no ip http secure-server
R1#sh ip http server status | i 8080
HTTP server port: 8080

Before implementing the NAT, I can only access R1 when telnetting to port 8080 from R2.

It won't work when trying port 80.

R2#telnet 10.1.100.1 80
Trying 10.1.100.1, 80 ...
% Connection refused by remote host

R2#telnet 10.1.100.1 8080
Trying 10.1.100.1, 8080 ... Open


^^
HTTP/1.1 400 Bad Request
Date: Tue, 19 Jan 2010 10:45:16 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

I implemented the NAT on R0

R2#telnet 10.1.100.1 8080
Trying 10.1.100.1, 8080 ...
% Connection timed out; remote host not responding

R2#
R2#
R2#telnet 10.1.100.1 80 
Trying 10.1.100.1, 80 ... Open

^^xx
HTTP/1.1 400 Bad Request
Date: Tue, 19 Jan 2010 10:46:28 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

R0#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.1.100.1:80      10.1.100.1:8080    ---                ---
R0#

Regards

Edison

Edit: If you want to use this router for internet NAT, you can change the outside|inside designation on the interfaces and also change the command from

ip nat inside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

to

ip nat outside source static tcp 10.1.100.1 8080 10.1.100.1 80 extendable

Message was edited by: Edison Ortiz

New Member

Re: Redirect web traffic to external proxy in a specific port

Ok, that's fine.

But now I am not able to redirect traffic to that external server. I'm testing with PBR next-hop  but it seems that is taking the default-route.

The proxy is on the Internet, is not directly connected to my network. I do not know if the next-hop has to indicate an ip directly connected or not.

Thanks

Hall of Fame Super Bronze

Re: Redirect web traffic to external proxy in a specific port

I understand your requirements. I believe you will accomplish this task a lot easier if you send the proxy configuration to workstations either via DHCP or a PAC file.

http://en.wikipedia.org/wiki/Proxy_auto-config

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Regards

Edison

New Member

Re: Redirect web traffic to external proxy in a specific port

ok, but i'd like to control  at network level. Do you know if there is a command to send traffic through an specific internet router? Do you know if with next-hop command you can only set a directly connected router?
Thanks

Hall of Fame Super Bronze

Re: Redirect web traffic to external proxy in a specific port

I haven't tested this concept but it seems that's what you are after

https://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

New Member

Re: Redirect web traffic to external proxy in a specific port

My router (2600) doesn't support it. Thanks anyway. Maybe it's time to renew

New Member

Re: Redirect web traffic to external proxy in a specific port

32323
Views
18
Helpful
13
Replies