Showing results for 
Search instead for 
Did you mean: 
Jordan Dalley

Cisco 2921 destination NAT for transparent proxy

Hi All,

I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.

In iptables its easy:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>

I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.

So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.

The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).

Any ideas guys? I'm stuck.


Jordan Dalley

From what I can understand, ASA's can do it. Not sure about routers though.


Anyone? :)


Sounds like you need a route-map to change the next IP hop?

This would be the best way to do it which will also verify the remote proxy server is available as well.


ip sla monitor 1

type echo protocol ipIcmpEcho <ip address of your proxy server>

timeout 3000

frequency 3

ip sla monitor schedule 1 life forever start-time now


track 123 rtr 1 reachability


interface FastEthernet0/1

ip address <x.x.x.x x.x.x.x>

ip policy route-map REDIRECT-TO-PROXY


ip access-list extended webtraffic

! Deny traffic from your proxy server from redirecting

  deny tcp host <ip address of your proxy server> any eq www

  deny tcp host <ip address of your proxy server> any eq https

  permit tcp <your ip network> <subnet mask> any eq www

  permit tcp <your ip network> <subnet mask> any eq https


route-map REDIRECT-TO-PROXY permit 10

match ip address webtraffic

set ip next-hop verify-availability <ip address of your proxy server> 1 track 123


If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:

Here is how my router is configured.

interface FastEthernet0/0
 ip address dhcp hostname home-rtr-1
 ip nat outside
interface FastEthernet0/1
 ip address 10.235.x.x
 ip nat inside

ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>



Hi There,

I appreciate the reply, but I think my issue may be slightly different in that the proxy I want to forward requests to is not in an adjacent subnet to the router.

I have done much the same thing as to what you've described above, where I PBR port 80 and 443 traffic off to a Linux box with iptables in a directly accessible subnet, which then in turn does all the tricky packet modifications to change the destination IP etc. I might note also, that the linux box in question is not the proxy server, it is simply just rewriting the destination ip address of any web requests to a remote proxy. It works well.

I'm just wondering if I need to bother about having that Linux box to do the NAT stuff if the Cisco can do it for me. The proxy in question is in the cloud, so it's not like I can hand directly off to it.

The only other option i've seen is GRE as this can attach remote proxies as directly routable.


Sorry, I didn't catch that it was off-site. I don't have any experiences with connecting to an off-site proxy. We handle all of our proxies through WCCP. 


Also, does this proxy support WCCP? That might be an even easier connection to the proxy.

No, the proxy doesn't support WCCP unfortunately. This would be ideal.


I was looking for a similar solution...

Have you tried this?

Cisco IOS Destination-NAT


I was able to use it to reroute DNS requests from a client that was using server and redirect the lookups to a diffrent dns server



pc -------------------------- router ------------------------ dns server

w/ dns set to use                                                                                  dns server


router .........
interface f0
ip address
ip nat inside
interface f1
ip address
ip nat outside
ip nat outside source static udp  53 53 
Hope that helps
-mike brentlinger