Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2999
Views
15
Helpful
12
Replies

PBR on CoreSwitch to forward http,https request to Proxy Server

sreeraj.murali
Level 3
Level 3

‎11-06-2017 11:23 PM - edited ‎03-05-2019 09:26 AM

Hi Experts,

We are planning to put a proxy server in the network. Since we don't want to make any changes on the End User PC Browser, we want to forward all the End User HTTP, HTTPS request hitting the default gateway(Core Switch-172.20.4.1) to the proxy server(172.20.4.100) and again reforwarding the traffic to LAN Switch and then to ASA Firewall.

 

Please find the attached diagram.

 

Thanks

Sreeraj

Labels:
Preview file
21 KB
0 Helpful
12 Replies 12

Georg Pauwen
VIP
VIP

‎11-06-2017 11:59 PM

Hello,

 

below is a basic PBR configuration. What core switch (model) do you have, and which IOS version are you running ?

 

access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443

 

route-map HTTP_HTTPS permit 10
match ip address 101
set ip next-hop x.x.x.x

!

route-map HTTP_HTTPS permit 20

!

interface Vlan10
ip policy route-map HTTP_HTTPS

sreeraj.murali
Level 3
Level 3
In response to Georg Pauwen

‎11-07-2017 01:02 AM

Thanks for the prompt response !!!

Hi,

It is Cisco WS-C3850-48P hardware.

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.03SE RELEASE SOFTWARE (fc2).

 

Also, please do suggest, if the diagram attached, is a valid Network design for introducing proxy server in the network.

 

Best Regards

Sreeraj

0 Helpful

Georg Pauwen
VIP
VIP
In response to sreeraj.murali

‎11-07-2017 01:05 AM

Hello,

 

in your diagram it looks like the proxy server is sitting between the core switch and the firewall, so all traffic goes through the proxy server by default anyway ?

0 Helpful

sreeraj.murali
Level 3
Level 3
In response to Georg Pauwen

‎11-07-2017 01:15 AM

Yes, planning to route all HTTP, HTTPS traffic thru the proxy server. This is the design.

 

PC===>3850CoreSwitch==>Squid Proxy Server==>ASA Firewall.

 

Please help with below points as well

1. Will this work?

2. Hope we can connect the PC NIC Interface to ASA Firewall as INSIDE Interface?

3. Will there be an issue with reverse traffic from Internet through AS back to proxy and PC?

 

Best Regards

Sreeraj

 

 

 

 

0 Helpful

Tinashe Ndhlovu
Level 1
Level 1
In response to sreeraj.murali

‎11-07-2017 07:50 AM

Going through the "flow chart" you uploaded I feel we need to take a step back here.. the PC's, Proxy and the ASA are all on the same LAN segment in the same VLAN. I honestly do not see how route-maps will assist you when you are performing Layer 2 forwarding based on MAC-Address.... If you can draw up an actual network diagram it would assist in providing you with design ideas for your issue. And if your proxy is listening for proxy connections to say port 3128 or port 8080 for example, then further down the rabbit hole we go... I'm not too confident in this design tbh.. 

sreeraj.murali
Level 3
Level 3
In response to Tinashe Ndhlovu

‎11-07-2017 11:34 PM

Thanks Tinashe Ndhlovu for the expert input.

I am attaching the detailed Network diagram. Please check and suggest, with the design, configuration. 

Also, suggest with the below points.

  1. Hope we can connect the PC NIC Interface to ASA Firewall as INSIDE Interface?
  2. Will there be an issue with reverse traffic from Internet through AS back to proxy and PC?

Best Regards

Sreeraj

Preview file
31 KB
0 Helpful

sreeraj.murali
Level 3
Level 3
In response to sreeraj.murali

‎11-09-2017 05:50 AM

Hi,

Could you please help with more light on this? May be, if a design change is required to achieve this.

Best Regards

Sreeraj

0 Helpful

sreeraj.murali
Level 3
Level 3
In response to sreeraj.murali

‎11-09-2017 06:32 AM

Please comment with your experts inputs.

0 Helpful

paul driver
VIP
VIP

‎11-07-2017 06:20 AM - edited ‎11-07-2017 06:21 AM

Hello

Hello you dont say what core switch your using but maybe web cache communication protocol (WCCP) would be applicable:


Basically you specify a forwarding proxy and apply it to the outgoing interface L3 interface of you core switch or router towards the proxy.

 

access-list 10 permit 172.20.4.100
ip wccp web-cache group-list 10

ip wccp web-cache

interface x/x
ip wccp web-cache redirect out

res
Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sreeraj.murali
Level 3
Level 3
In response to paul driver

‎11-07-2017 10:42 PM

Thanks Paul driver for providing this valuable input. I will try this.

Could you also suggest, If the attached design works.

 

PC===>3850CoreSwitch==>Squid Proxy Server==>ASA Firewall.

 

Please help with below points as well

1. Will this work?

2. Hope we can connect the PC NIC Interface to ASA Firewall as INSIDE Interface?

3. Will there be an issue with reverse traffic from Internet through AS back to proxy and PC?

 

Best Regards

Sreeraj

0 Helpful

sreeraj.murali
Level 3
Level 3
In response to sreeraj.murali

‎11-09-2017 05:52 AM

Hi,

Could you please help with the design.

Best Regards

Sreeraj

0 Helpful

sreeraj.murali
Level 3
Level 3
In response to paul driver

‎11-13-2017 04:08 AM

Hi Paul,
Thanks for your input on the WCCP Web-Cache redirect.
But, what would be the case, when the redirected traffic to proxy, comes back again to the Core Switch, It will create an infinite loop.
Please provide your comments.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card