https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218873#M591486 <HTML><HEAD></HEAD><BODY><P>The only thing that I would recommend to you is to enable and configure the proxy settings on the web browsers of your users. I know, that can be a very tedious task if you don't trust your users to do it themselves. One way to facilitate could be by creating a registry file (if you users are windows based) that users can import by doubleclicking on it (if they have the permissions to modify the registry). In the proxy configuration of the web browser, you're telling it to use your proxy server IP address and port number for all connections on port 80 and 443. After everybody is successfully going through the browser, block any direct access to port 80 and 443 to the internet from the inside interface.</P></BODY></HTML> Wed, 07 Jul 2004 16:30:42 GMT crojas 2004-07-07T16:30:42Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218870#M591480 <P>Hi,</P><P></P><P> I'm aware that this question has been here a few times, but I didn't see an answer.</P><P></P><P>With a router it's easy to route by certain ports. I'd like to do this with a setup like this:</P><P></P><P></P><P></P><P>---&gt;IN&gt;Pix Firewall&gt;OUT&gt;----</P><P> DMZ</P><P> |</P><P> Proxy</P><P> &amp;</P><P> Mail</P><P></P><P>Requests from the inside (Port 80 and 443) should go to the Proxy, which is in the DMZ because it's a proxy for mail too.</P><P></P><P>Any other traffic should go straight to the outside, if allowed.</P><P></P><P>I didn't find an option for the pix setting the next hop by port. </P><P></P><P>Maybe someone has an idea for that.</P><P></P><P></P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 07:29:55 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218870#M591480 reeseb 2020-02-21T07:29:55Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218871#M591481 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I believe what you are looking for is Port Redirection with Static, if so, then read the following document:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/707/28.html" target="_blank">http://www.cisco.com/warp/public/707/28.html</A></P><P></P><P>You can not do PBR (Policy Based Routing) on a PIX .</P><P></P><P>Hope this helps and let me know how you get on.</P><P></P><P>Jay</P><P></P></BODY></HTML> Wed, 07 Jul 2004 09:37:00 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218871#M591481 jmia 2004-07-07T09:37:00Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218872#M591483 <HTML><HEAD></HEAD><BODY><P>Hi Jay and thanks for the reply,</P><P></P><P> I guess the static is not the thing I'm looking for, all users on the inside doing internet access to port 80 for example, would normaly go via the default route on the pix, straight out of the external interface. I want this redirected to Proxy:8080 in the DMZ. I Guess static demands a 1 to 1 Mapping, which would be difficult, with 30 Networks behind the inside interface. So it seems really to be kind of bad idea to put a proxy in the DMZ.</P><P></P><P>best regards </P><P>björn</P><P></P><P></P><P></P></BODY></HTML> Wed, 07 Jul 2004 11:43:36 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218872#M591483 reeseb 2004-07-07T11:43:36Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218873#M591486 <HTML><HEAD></HEAD><BODY><P>The only thing that I would recommend to you is to enable and configure the proxy settings on the web browsers of your users. I know, that can be a very tedious task if you don't trust your users to do it themselves. One way to facilitate could be by creating a registry file (if you users are windows based) that users can import by doubleclicking on it (if they have the permissions to modify the registry). In the proxy configuration of the web browser, you're telling it to use your proxy server IP address and port number for all connections on port 80 and 443. After everybody is successfully going through the browser, block any direct access to port 80 and 443 to the internet from the inside interface.</P></BODY></HTML> Wed, 07 Jul 2004 16:30:42 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218873#M591486 crojas 2004-07-07T16:30:42Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218874#M591488 <HTML><HEAD></HEAD><BODY><P>ditto. it really is the best method. if they are all windows based and on active directory you can make a group policy to apply the proxy settings automatically and the users will not be able to change them.</P></BODY></HTML> Thu, 08 Jul 2004 18:05:56 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218874#M591488 rwcrowe 2004-07-08T18:05:56Z https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218875#M591491 <HTML><HEAD></HEAD><BODY><P>O.K., I'll see if i can handle this with a policy. Thanks for your replys.</P></BODY></HTML> Fri, 09 Jul 2004 07:29:04 GMT https://community.cisco.com/t5/network-security/policy-routing-on-pix/m-p/218875#M591491 reeseb 2004-07-09T07:29:04Z