PIX redirect http/ftp traffic to proxy server

boyd-c · ‎09-29-2005

I want to redirect all http/ftp traffic through proxy server from the PIX. The proxy is 10.133.1.49 and PIX is 10.133.6.10. The default gateway for the hosts on the network is 10.133.6.10.

Is my logic sound?

nkhawaja · ‎10-02-2005

that seems to be right. all you need is to have some policies so that only that proxy IP will be able to have a translation / communciation through the pix

thanks

Nadeem

jakob.langgaard · ‎10-04-2005

Hi,

Please specify where you proxy is located. On the same subnet as the clients, on a DMZ on the PIX, on the outside .. or ?

Id it is located on the inside you will have a problem, as the PIX (below version 7.0) cannot do routing on the same interface, so it will not be able to route traffic from the clients to the proxy on the same interface (subnet).

Patrick Iseli · ‎10-04-2005

In my understanding the PIX is not able to redirect traffic to another server as a proxy server.

Please correct me if I am not right. Execption is WebSense and N2H2 Web Filtering service.

The setup should be:

1a.)Access-list line 1 that permits just the proxy server to connect with http, https and ftp.

1b.)Access-list line 2 that blocks all other traffic.

You do not rellay need that line (1b) because the PIX will do that automaticly after a permit statement.

Then configure all inside host to use your proxy server in the browser settings.

Example for proxy server in the inside network:

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host ProxyServerIP any object-group Proxy-TCP

access-group proxy in interface inside

Note: Object group will be more flexible if you want to configure multiple TCP ports.

sincerely

Patrick