Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
5
Replies

Policy Routing on Pix

reeseb
Level 1
Level 1

‎07-07-2004 01:13 AM - edited ‎02-20-2020 11:29 PM

Hi,

I'm aware that this question has been here a few times, but I didn't see an answer.

With a router it's easy to route by certain ports. I'd like to do this with a setup like this:

--->IN>Pix Firewall>OUT>----

DMZ

|

Proxy

&

Mail

Requests from the inside (Port 80 and 443) should go to the Proxy, which is in the DMZ because it's a proxy for mail too.

Any other traffic should go straight to the outside, if allowed.

I didn't find an option for the pix setting the next hop by port.

Maybe someone has an idea for that.

0 Helpful
5 Replies 5

jmia
Level 7
Level 7

‎07-07-2004 02:37 AM

Hi,

I believe what you are looking for is Port Redirection with Static, if so, then read the following document:

http://www.cisco.com/warp/public/707/28.html

You can not do PBR (Policy Based Routing) on a PIX .

Hope this helps and let me know how you get on.

Jay

0 Helpful

reeseb
Level 1
Level 1
In response to jmia

‎07-07-2004 04:43 AM

Hi Jay and thanks for the reply,

I guess the static is not the thing I'm looking for, all users on the inside doing internet access to port 80 for example, would normaly go via the default route on the pix, straight out of the external interface. I want this redirected to Proxy:8080 in the DMZ. I Guess static demands a 1 to 1 Mapping, which would be difficult, with 30 Networks behind the inside interface. So it seems really to be kind of bad idea to put a proxy in the DMZ.

best regards

björn

0 Helpful

crojas
Level 1
Level 1
In response to reeseb

‎07-07-2004 09:30 AM

The only thing that I would recommend to you is to enable and configure the proxy settings on the web browsers of your users. I know, that can be a very tedious task if you don't trust your users to do it themselves. One way to facilitate could be by creating a registry file (if you users are windows based) that users can import by doubleclicking on it (if they have the permissions to modify the registry). In the proxy configuration of the web browser, you're telling it to use your proxy server IP address and port number for all connections on port 80 and 443. After everybody is successfully going through the browser, block any direct access to port 80 and 443 to the internet from the inside interface.

0 Helpful

rwcrowe
Level 1
Level 1
In response to crojas

‎07-08-2004 11:05 AM

ditto. it really is the best method. if they are all windows based and on active directory you can make a group policy to apply the proxy settings automatically and the users will not be able to change them.

0 Helpful

reeseb
Level 1
Level 1
In response to rwcrowe

‎07-09-2004 12:29 AM

O.K., I'll see if i can handle this with a policy. Thanks for your replys.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card