09-30-2014 04:16 AM - edited 03-04-2019 11:51 PM
Hi All,
I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
In iptables its easy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
Any ideas guys? I'm stuck.
Cheers,
Jordan.
09-30-2014 05:30 PM
From what I can understand, ASA's can do it. Not sure about routers though.
Anyone? :)
09-30-2014 09:04 PM
Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
timeout 3000
frequency 3
ip sla monitor schedule 1 life forever start-time now
!
track 123 rtr 1 reachability
!
interface FastEthernet0/1
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
!
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
!
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
interface FastEthernet0/0
ip address dhcp hostname home-rtr-1
ip nat outside
!
interface FastEthernet0/1
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit <your ip network> <your ip subnet>
HTH
09-30-2014 09:28 PM
Hi There,
I appreciate the reply, but I think my issue may be slightly different in that the proxy I want to forward requests to is not in an adjacent subnet to the router.
I have done much the same thing as to what you've described above, where I PBR port 80 and 443 traffic off to a Linux box with iptables in a directly accessible subnet, which then in turn does all the tricky packet modifications to change the destination IP etc. I might note also, that the linux box in question is not the proxy server, it is simply just rewriting the destination ip address of any web requests to a remote proxy. It works well.
I'm just wondering if I need to bother about having that Linux box to do the NAT stuff if the Cisco can do it for me. The proxy in question is in the cloud, so it's not like I can hand directly off to it.
The only other option i've seen is GRE as this can attach remote proxies as directly routable.
Cheers,
Jordan.
09-30-2014 09:28 PM
Sorry, I didn't catch that it was off-site. I don't have any experiences with connecting to an off-site proxy. We handle all of our proxies through WCCP.
09-30-2014 09:23 PM
Also, does this proxy support WCCP? That might be an even easier connection to the proxy.
09-30-2014 09:24 PM
No, the proxy doesn't support WCCP unfortunately. This would be ideal.
12-12-2014 12:11 PM
I was looking for a similar solution...
Have you tried this?
Cisco IOS Destination-NAT
http://blog.lemieuxnc.net/2010/09/cisco-ios-destination-nat.html
I was able to use it to reroute DNS requests from a client 10.1.1.1 that was using server 192.168.1.1 and redirect the lookups to a diffrent dns server 192.168.1.2
eg
pc 10.1.1.1 --------------------------10.0.0.1 router 192.168.0.1 ------------------------ dns server 192.168.1.1
w/ dns set to use 192.168.1.1 dns server 192.168.1.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide