cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
1
Helpful
11
Replies

ISR 1111 + SQUID

skulikov944
Level 1
Level 1

Hello team.

I really want to understand and configure proxying certain sites through my VPS in another country, but unfortunately I am failing.
I have a cisco router 1100 series and vps + squid.
I have tried a large number of configurations in this regard using wccp and pbr
Can someone suggest a working config on the router side using PBR and squid

I have tried this config on router:

 

Spoiler

ip access-list extended PROXY-ACL
permit tcp any host <vps-ip-address> eq 80
permit tcp any host <vps-ip-address> eq 443

ip access-list extended BYPASS-ACL
deny ip any host <vps-ip-address>
permit ip any any any

route-map TRAFFIC-RMAP permit 10
match ip address BYPASS-ACL
set ip next-hop <next-hop-ip-address-to-gateway-my-isp>
!
route-map TRAFFIC-RMAP permit 20
match ip address PROXY-ACL
set ip next-hop <squid-ip-address>

interface <inside-interface>
ip address 192.168.1.1 255.255.255.0
ip nat inside

interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
ip policy route-map TRAFFIC-RMAP

ip nat inside source list PROXY-ACL interface gi0/0/0 overload

ip route 0.0.0.0.0.0 <next-hop-ip-address>





When I use this command on interface gi0/0/0, ip policy route-map TRAFFIC-RMAP I lose internet.



Config for squid:

Spoiler

http_port 3128
acl localnet src 10.10.0.1/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all

http_port MY_PUB_IP_VPS:8080 intercept

acl proxy_domains dstdomain "/etc/squid/proxy_domains"

acl proxy_sites dstdomain "/etc/squid/proxy_sites"

http_access allow proxy_domains proxy_sites

 

 

11 Replies 11

ip policy route-map TRAFFIC-RMAP <<- apply this command under LAN interface 

interface <inside-interface>
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map TRAFFIC-RMAP

Just applied this policy to the vlan, the pages of sites I check just take a long time to load and show an error that "cannot open this page".
I think I made a mistake somewhere, but I can't figure it out. What I need to change?

Now my config loks like this:

 

Spoiler

ip access-list extended PROXY-ACL
10 permit tcp any host 90.90.90.90 eq www
20 permit tcp any host 90.90.90.90 eq 443


ip access-list extended BYPASS-ACL
deny ip any host 90.90.90.90
permit ip any any

route-map TRAFFIC-RMAP permit 10
match ip address BYPASS-ACL
set ip next-hop 130.130.130.1
!
route-map TRAFFIC-RMAP permit 20
match ip address PROXY-ACL
set ip next-hop 90.90.90.90


interface Vlan10
description WIRED
ip address 10.1.100.254 255.255.255.0
ip nat inside
ip policy route-map TRAFFIC-RMAP
ip virtual-reassembly

interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly

 

We use PBR when we have multi-input point and TWO output Point 
here I see only one interface connect to SP g0/0/0 so why PBR ?
and if there is other WAN interface you must config NAT to be aware about the next-hop of traffic. 

There is no other wan channel, I thought this problem is solved only with PBR or WCCP.
If I have one wan channel, a couple of vlan and a squid server on the remote side, what can help me solve this problem?

what problem which you think will be solve by PBR ?

Initially, I planned to proxy certain subnets based on PBR, on which external sites hang in the direction of squid. Some solutions on the Internet describe such a scenario, but the information is vague, so I decided to experiment and sketched such a conf.

Hmmm, that need some kind of deep think.
I will update you soon 

Sure! Thx a lot

skulikov944
Level 1
Level 1

Hi, I just wanted to ask how it's going. Did any of the options work out?

balaji.bandi
Hall of Fame
Hall of Fame

Couple of things need clarification :

1. how is your network diagram  - show us how Router and Squid proxy and users Lan connected ?

2. you have localnet 10.10.0.1/24  ?  (which i do not see on your Router config ?) Squid only allow these subnet source come from ? if any source coming from will be denied from squid.

3. are you looking to Lan side redirect traffic to proxy, or After nat Outside ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Of course, I have this kind of scheme.
Let's say there are two countries, one is ISR 1111 and the other is SQUID.
I need to make it so that when certain sites are requested, the traffic goes exactly to country 2 and out through Squid.

skulikov944_1-1679235613255.png

I also want to ask, is there any way to make it work for only certain sites?
I know I can configure the IPSEC tunnel and put the networks I need on it to make the traffic from those networks go to the squid, but I need to know which sites have which subnets and domain names to ask the system to send me to the squid.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: