Redirect web traffic via policy

stevemaunsell · ‎07-13-2011

I've seen this question around but never a definitive answer. It seems people get confused about what the required outcome is so I'll try and be detailed. We have W2K3 domain with Catalyst 4507 routers.

Client (laptop, tablet etc) needs to redirect web traffic (port 80) to a proxy server that listens on port 8080.

Before you ask, this cannot be done using a PAC file distributed via Group Policy or the like because these devices are not controlled by us. These devices are client owned and could be non-Microsoft OS and/or non-IE browser. The theory is to have a WiFi network where clients can bring whatever they like - iPad, Android, Windows, whatever it may be but we do not control them and therefore cannot send a PAC file to it. In the case on Android it does not have a proxy setting even if we could force something.

I've looked at Policy Based Routing which appears to do half the job. I can route a web request that is on port 80 to a new location ie our proxy server. But the problem is that it arrives on the same port 80 when the proxy server only listens on port 8080.

I hope that defines the requirements and why certain suggestions that I've seen not possible.

Anyone have any ideas how to do this?

shehzadtesleem · ‎07-13-2011

Hi Steve;

I remember, i hv run same scenario in my last job of ISP; to achieve this objective my proxy port was 8080 and redirections was made in linux proxy from 80 to 8080

Below are the configurations of route-map.

route-map ProxyRedirect permit 10

match ip address TransparentProxy

set ip next-hop 202.1. 3.1

ip access-list extended TransparentProxy

deny ip host 202.1. 3.1 any

permit tcp any any eq www

permit tcp any any eq 443

HTH.

Shehzad Kharl

stevemaunsell · ‎07-13-2011

Shehzad, my initial post says "the proxy server only listens on port 8080". That is my requirement.

Not all proxy servers listen on port 80. I need a solution to redirect 80 to 8080.

shehzadtesleem · ‎07-14-2011

Okay; Boss I must say you have very complex scenario, while you can use one to one PAT but this option might will not work on Cisco device. Anyway try this if it works or not (I ma not sure)

Enable ip nat inside and ip nat outside on respective interfaces.

ip nat inside source static tcp Proxy-IP 8080 router-IP 80

stevemaunsell · ‎07-14-2011

I'll give that a go and see what happens. Thanks.

But as for complex I strongly disagree. This is a simple, extremely common scenario. The only difference between your initial suggestion and my requirement is the proxy server listening on port 8080. I could list dozens of proxy servers that are available today that only listen on port 8080. Translating 80 to 8080 seems like a simple request to me.

shehzadtesleem · ‎07-15-2011

Hi Steve,

I apologize for my above post which I have edited as well for readers of this forum.

I made mistake and asked you to change the proxy port from 8080 to 80(which is web server port).

Your scenario is complex because of some limitations.

Hey even You can’t do retranslation or redirection on Proxy Server??

stevemaunsell · ‎07-17-2011

Ok, it seems Cisco cannot do this by itself It's true, Cisco isn't the answer for everything!

I have an Ubuntu box that simply uses iptables to redirect traffic coming to it on port 80 to our proxy server on port 8080. It's 3 simple commands.

Now I need Cisco to direct traffic that's coming from clients on port 80 to the Ubuntu box staying on port 80. I was looking at Policy Based Routing but it turns out for some reason (why?) I cannot run a 'ip policy' command on a VLAN interface. We have brand new Catalyst 4507s. Googling has found this can be done on other Catalysts so why now ours? The commands I tried are below...

access-list 101 permit tcp 10.60.0.0 0.0.255.255 any eq www

route-map webtraffic permit 101

match ip address 101

set ip next-hop 10.100.0.9

interface vlan 60

ip policy route-map webtraffic

Any ideas how to achieve this now?

Jon Marshall · ‎07-18-2011

Steve

What IOS and feature set are you using on your 4500s. You should be able to do PBR on these switches. Also what supervisor are you running.

As for translating the port well for that you need NAT and unfortunately, apart from the 6500 switch, catalyst switches don't support NAT although all routers do if you had a spare router you could somehow insert into your topology.

Jon

stevemaunsell · ‎07-18-2011

Here's some info from the Catalyst.

SERVER_ROOM_L2#show version

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Versio

n 12.2(54)SG1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 27-Jan-11 12:13 by prod_rel_team

Image text-base: 0x10000000, data-base: 0x12A709B8

ROM: 12.2(44r)SG9

Darkside Revision 4, Nexu Revision 12, Fortooine Revision 1.22

SERVER_ROOM_L2 uptime is 6 days, 18 hours, 7 minutes

Uptime for this control processor is 6 days, 18 hours, 7 minutes

System returned to ROM by power-on

System restarted at 23:58:49 AEST Tue Jul 12 2011

System image file is "bootflash:cat4500e-ipbase-mz.122-54.SG1.bin"

cisco WS-C4507R+E (MPC8548) processor (revision 12) with 524288K bytes of memory

.

Processor board ID FOX1520G45F

MPC8548 CPU at 1GHz, Supervisor 6L-E

Last reset from PowerUp

84 Virtual Ethernet interfaces

152 Gigabit Ethernet interfaces

4 Ten Gigabit Ethernet interfaces

511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

SERVER_ROOM_L2#

I've got one of our suppliers having a look at possibilities. They reckon they have a way to do this without iptables and just with the Catalyst. I'll wait to see what they propose and post it here if it works.

Jon Marshall · ‎07-18-2011

Steve

You have IP Base on your switch and you need IP Services for PBR. So you would need to upgrade your IOS feature set.

Presumably if they are relatively new you have a SupV or better in them ?

Jon

stevemaunsell · ‎07-18-2011

Sorry, it's a WS-X45-Sup6L-E.