Help with cisco router and diverting http traffic to internal we

Ben Williams · ‎08-11-2011

Dear All,

We have an internal proxy server listening on port 8080, all windows domain clients have been configured to use this proxy for IE, but we do have a lot of visitors connecting their laptops to our network, and although wpad is configured for this I would like to display a proxy information page if the client tries to access the internet without the correct proxy settings.

We have a Cisco 1941w router which is blocking ports 80 and 443 for all clients apart from the proxy server, is there some way to implement a rule which the router will divert any http requests to an internal web server hosting the proxy info page?

Thanks

Latchum Naidu · ‎08-11-2011

Hi,

Try to apply route-map on the interface (VLAN) to which the clients network belongs.

route-map HTTP_Traffic permit 10
match ip address 175
set ip default next-hop 192.168.4.6 --->your proxy server IP

ip access-list extended 175
permit tcp 192.168.2.0 any eq 80
permit tcp 192.168.4.0 any eq 80
permit tcp 192.168.6.0 any eq 80

Please rate the helpfull posts.
Regards,
Naidu.

Ben Williams · ‎08-11-2011

Thanks Naidu,

I assume the proxy server will need to be listening on port 80?

Thanks again

Latchum Naidu · ‎08-11-2011

Yes....

And you are most welcome Ben....

Please rate the helpfull posts.

Regards,

Naidu.

Ben Williams · ‎08-13-2011

Naidu,

would this work ok along side zone-based firewall?

thanks

ben

cadet alain · ‎08-13-2011

Hi,

it can but maybe you'll have to modify ZBF config,

Regards.

Alain.

Don't forget to rate helpful posts.

boss.silva · ‎08-11-2011

Hello,

You can also use WCCP for traffic redirection.

Just another solution to the same problem.

Regards,

Bruno Silva.

cadet alain · ‎08-13-2011

Hi Bruno,

It is indeed aviable solution but some proxy-servers like Windows ISA server don't understand wccp.

Regards.

Alain.

Don't forget to rate helpful posts.

Ben Williams · ‎08-15-2011

Naidu,

Can’t seem to get it working with our proxy server I think it’s due to its unable to perform Transparent proxying (GFI Webmonitor).

So I would like any http requests to be forward to an internal web server which will respond with web page explianing the required proxy settings.

I’ve used the same route-map on the g0/1.300 interface to forward http traffic to web server 192.168.85.2, but still no joy, I must be doing something wrong.

Below is my config (amended) if you wouldn’t mind having a quick look for me please?

Building configuration...

Current configuration : 10850 bytes

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname DH-514-1941w

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

ip source-route

ip cef

!

ip host wpad.dhvisitor.local 192.168.85.2

ip name-server 212.135.1.36

ip name-server 195.40.1.36

ip inspect tcp reassembly queue length 0

!

multilink bundle-name authenticated

!

parameter-map type ooo global

tcp reassembly queue length 128

!

redundancy

!

controller SHDSL 0/0/0

dsl-group 0 pairs 0

!

class-map type inspect match-any vpn-service-class

match protocol https

match protocol pptp

class-map type inspect match-all vpn-access-class

match access-group 101

match class-map vpn-service-class

class-map type inspect match-any dhcp-service-class

match protocol bootpc

match protocol bootps

class-map type inspect match-any proxy-service-class

match protocol http

match protocol https

class-map type inspect match-all proxy-deny-class

match class-map proxy-service-class

match access-group 1

class-map type inspect match-any dhweb-service-class

match protocol http

match protocol https

match protocol ftp

class-map type inspect match-all dhweb-access-class

match access-group 102

match class-map dhweb-service-class

class-map type inspect match-all invalid-class

match access-group 100

class-map type inspect match-all gre-class

match access-group name GRE

class-map type inspect match-any messagelabs-class

match access-group name messagelabs-in

match access-group name messagelabs-out

class-map type inspect match-any icmp-class

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all smtp-class

match protocol smtp

match class-map messagelabs-class

class-map type inspect match-all visitor-proxy-class

match class-map proxy-service-class

match access-group 2

class-map type inspect match-any general-traffic-class

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol icmp

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all dhcp-access-class

match access-group 102

match class-map dhcp-service-class

class-map type inspect match-all proxy-allow-class

match class-map proxy-service-class

match access-group 103

class-map type inspect match-all icmp-access-class

match class-map icmp-class

!

policy-map type inspect outside-dmz-policy

class type inspect dhweb-access-class

inspect

class class-default

drop

policy-map type inspect dmz-outside-policy

class type inspect invalid-class

drop

class class-default

drop

policy-map type inspect visitor-outside-policy

class type inspect invalid-class

drop

class type inspect gre-class

pass

class type inspect visitor-proxy-class

drop

class type inspect general-traffic-class

inspect

class class-default

drop

policy-map type inspect visitor-dmz-policy

class type inspect dhcp-access-class

inspect

class class-default

drop

policy-map type inspect router-ext-access-policy

class class-default

drop

policy-map type inspect inside-outside-policy

class type inspect invalid-class

drop

class type inspect smtp-class

inspect

class type inspect gre-class

pass

class type inspect proxy-allow-class

inspect

class type inspect proxy-deny-class

drop

class type inspect general-traffic-class

inspect

class class-default

drop

policy-map type inspect outside-inside-policy

class type inspect smtp-class

inspect

class type inspect vpn-access-class

inspect

class type inspect gre-class

pass

class class-default

drop

policy-map type inspect inside-dmz-policy

class type inspect dhweb-access-class

inspect

class class-default

drop

policy-map type inspect permit-icmpreply-policy

class type inspect icmp-access-class

inspect

class class-default

pass

!

zone security inside

zone security outside

zone security dmz

zone security visitor

!

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-policy

zone-pair security outside-inside source outside destination inside

service-policy type inspect outside-inside-policy

zone-pair security inside-dmz source inside destination dmz

service-policy type inspect inside-dmz-policy

zone-pair security outside-dmz source outside destination dmz

service-policy type inspect outside-dmz-policy

zone-pair security visitor-outside source visitor destination outside

service-policy type inspect visitor-outside-policy

zone-pair security visitor-dmz source visitor destination dmz

service-policy type inspect visitor-dmz-policy

zone-pair security self-outside source self destination outside

service-policy type inspect permit-icmpreply-policy

zone-pair security outside-self source outside destination self

service-policy type inspect router-ext-access-policy

!

interface GigabitEthernet0/0

ip address 172.16.85.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security inside

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1.300

encapsulation dot1Q 300

ip address 192.168.85.1 255.255.255.224

ip helper-address 10.0.0.2

ip policy route-map http-divert

ip nat inside

ip virtual-reassembly

zone-member security visitor

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 2 interface Dialer0 overload

!

access-list 1 permit 172.16.85.0 0.0.0.255

access-list 2 permit 192.168.85.0 0.0.0.31

access-list 3 permit 10.0.0.0 0.0.0.3

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 87.85.81.56 0.0.0.7 any

access-list 101 permit ip any host 172.16.85.5

access-list 102 permit ip any host 10.0.0.2

access-list 103 permit ip host 172.16.85.17 any

access-list 104 permit tcp 192.168.85.0 0.0.0.31 any eq 80

access-list 199 permit ip any any

!

route-map http-divert permit 10

match ip address 104

set ip default next-hop 192.168.85.2

!

control-plane

!

line con 0

line aux 0

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

login

!

scheduler allocate 20000 1000

end

Jon Marshall · ‎08-15-2011

Ben

set ip default next-hop 192.168.85.2

means check the routing table first and if there is no route then use PBR. It's not clear from your config whether there is a useable route as you don't seem to have posted the full config.

set ip next-hop 192.168.5.2

means use PBR before checking the routing table. I suspect, although can't say for sure without seeing the routing table, that this is the one you want to use.

Jon

Latchum Naidu · ‎08-15-2011

Hi,

As Jon said, please change the route-map config like below which should help to work things fine.

route-map http-divert permit 10
match ip address 104
set ip next-hop 192.168.5.2

Please rate the helpfull posts.
Regards,
Naidu.

Ben Williams · ‎08-15-2011

Humm tried that and looking at the web server log can see no sign of activity

The results of show ip route, note that the intended web server and route-map interface are on the same subnet 192.168.85.0/27

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, GigabitEthernet0/1.400
L 10.0.0.1/32 is directly connected, GigabitEthernet0/1.400
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.85.0/24 is directly connected, GigabitEthernet0/0
L 172.16.85.254/32 is directly connected, GigabitEthernet0/0
192.168.85.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.85.0/27 is directly connected, GigabitEthernet0/1.300
L 192.168.85.1/32 is directly connected, GigabitEthernet0/1.300

Ben Williams · ‎08-15-2011

Hi Guys, ran a debug ip policy and tried to open www.google.com on a client on the 192.168.85.0 subnet and here are the results:

*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match

*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted

*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed

*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match

*Aug 15 14:31:19.312: IP: route map http-divert, item 10, permit

*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106 (GigabitEthernet0/1.300), len 52, policy routed

*Aug 15 14:31:19.312: IP: GigabitEthernet0/1.300 to GigabitEthernet0/1.300 192.168.85.2

*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match

*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted

*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed

*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match

*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted

*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed

*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match

*Aug 15 14:31:22.324: IP: route map http-divert, item 10, permit

*Aug 15 14:36:21.164: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=192.168.85.

31, len 229, policy rejected -- normal forwarding