Pix and transparent proxy

simpdou · ‎01-07-2005

I would like to redirect my port 80 traffic from my inside interface to the dmz interface.

I have a pix 515e and three interfaces - inside (private net), outside (pub net Internet) and dmz1 (which has a squid proxy)

What I want is when a user makes a webrequest (opens his/her browser) the request is redirected to the suid proxy on the dmz.

I know that one can use a layer 4 switch to do this. Can I use my pix to redirect traffic/ports etc. If you would like more info please ask.

sachinraja · ‎01-08-2005

Hi simpdou,

if the proxy is intended for internet browsing, you can defnitely configure pix to allow connections from inside to DMZ. you can configure statics and put access-lists to allow ur inside network access the proxy server on the desired port. You have to do the following:

1) configure static or nonats between inside network and DMZ network.

2) configure access-lists on dmz (&inside) to allow communication between the inside network & proxy

3) do a nat for the proxy to access internet.

If your scenario is doing caching for specific subnets based on the destination port, i think pix wont do redirection for such requests. you should have a L4 switch and do port redirection.

Hope this helps. rate replies if found useful.

Raj

simpdou · ‎01-11-2005

I cannot figure out the "access-list / access-group" part. I want to redirect port 80 on the inside interface. I would think it would be something like "access-list acl_name permit any www host 10.240.240.2"

"access-group acl_name in interface inside"

However, when I do this or a variation of redirecting port 80 from inside to dmz, the syslog shows that port 80 is trying the outside interface and being denied.

Do I have the right idea?