I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
In iptables its easy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
Any ideas guys? I'm stuck.
Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
ip address dhcp hostname home-rtr-1
ip nat outside
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>
I appreciate the reply, but I think my issue may be slightly different in that the proxy I want to forward requests to is not in an adjacent subnet to the router.
I have done much the same thing as to what you've described above, where I PBR port 80 and 443 traffic off to a Linux box with iptables in a directly accessible subnet, which then in turn does all the tricky packet modifications to change the destination IP etc. I might note also, that the linux box in question is not the proxy server, it is simply just rewriting the destination ip address of any web requests to a remote proxy. It works well.
I'm just wondering if I need to bother about having that Linux box to do the NAT stuff if the Cisco can do it for me. The proxy in question is in the cloud, so it's not like I can hand directly off to it.
The only other option i've seen is GRE as this can attach remote proxies as directly routable.
Sorry, I didn't catch that it was off-site. I don't have any experiences with connecting to an off-site proxy. We handle all of our proxies through WCCP.
I was looking for a similar solution...
Have you tried this?
Cisco IOS Destination-NAT
I was able to use it to reroute DNS requests from a client 10.1.1.1 that was using server 192.168.1.1 and redirect the lookups to a diffrent dns server 192.168.1.2
pc 10.1.1.1 --------------------------10.0.0.1 router 192.168.0.1 ------------------------ dns server 192.168.1.1
w/ dns set to use 192.168.1.1 dns server 192.168.1.2