08-11-2011 04:03 AM - edited 03-07-2019 01:39 AM
Dear All,
We have an internal proxy server listening on port 8080, all windows domain clients have been configured to use this proxy for IE, but we do have a lot of visitors connecting their laptops to our network, and although wpad is configured for this I would like to display a proxy information page if the client tries to access the internet without the correct proxy settings.
We have a Cisco 1941w router which is blocking ports 80 and 443 for all clients apart from the proxy server, is there some way to implement a rule which the router will divert any http requests to an internal web server hosting the proxy info page?
Thanks
08-11-2011 06:14 AM
Hi,
Try to apply route-map on the interface (VLAN) to which the clients network belongs.
route-map HTTP_Traffic permit 10
match ip address 175
set ip default next-hop 192.168.4.6 --->your proxy server IP
ip access-list extended 175
permit tcp 192.168.2.0 any eq 80
permit tcp 192.168.4.0 any eq 80
permit tcp 192.168.6.0 any eq 80
Please rate the helpfull posts.
Regards,
Naidu.
08-11-2011 06:50 AM
Thanks Naidu,
I assume the proxy server will need to be listening on port 80?
Thanks again
08-11-2011 07:25 AM
Yes....
And you are most welcome Ben....
Please rate the helpfull posts.
Regards,
Naidu.
08-13-2011 08:54 AM
Naidu,
would this work ok along side zone-based firewall?
thanks
ben
08-13-2011 09:39 AM
Hi,
it can but maybe you'll have to modify ZBF config,
Regards.
Alain.
08-11-2011 02:57 PM
Hello,
You can also use WCCP for traffic redirection.
Just another solution to the same problem.
Regards,
Bruno Silva.
08-13-2011 09:36 AM
Hi Bruno,
It is indeed aviable solution but some proxy-servers like Windows ISA server don't understand wccp.
Regards.
Alain.
08-15-2011 02:14 AM
Naidu,
Can’t seem to get it working with our proxy server I think it’s due to its unable to perform Transparent proxying (GFI Webmonitor).
So I would like any http requests to be forward to an internal web server which will respond with web page explianing the required proxy settings.
I’ve used the same route-map on the g0/1.300 interface to forward http traffic to web server 192.168.85.2, but still no joy, I must be doing something wrong.
Below is my config (amended) if you wouldn’t mind having a quick look for me please?
Building configuration...
Current configuration : 10850 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DH-514-1941w
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
!
!
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip host wpad.dhvisitor.local 192.168.85.2
ip name-server 212.135.1.36
ip name-server 195.40.1.36
ip inspect tcp reassembly queue length 0
!
multilink bundle-name authenticated
!
parameter-map type ooo global
tcp reassembly queue length 128
!
!
!
!
!
redundancy
!
!
controller SHDSL 0/0/0
dsl-group 0 pairs 0
!
!
!
class-map type inspect match-any vpn-service-class
match protocol https
match protocol pptp
class-map type inspect match-all vpn-access-class
match access-group 101
match class-map vpn-service-class
class-map type inspect match-any dhcp-service-class
match protocol bootpc
match protocol bootps
class-map type inspect match-any proxy-service-class
match protocol http
match protocol https
class-map type inspect match-all proxy-deny-class
match class-map proxy-service-class
match access-group 1
class-map type inspect match-any dhweb-service-class
match protocol http
match protocol https
match protocol ftp
class-map type inspect match-all dhweb-access-class
match access-group 102
match class-map dhweb-service-class
class-map type inspect match-all invalid-class
match access-group 100
class-map type inspect match-all gre-class
match access-group name GRE
class-map type inspect match-any messagelabs-class
match access-group name messagelabs-in
match access-group name messagelabs-out
class-map type inspect match-any icmp-class
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all smtp-class
match protocol smtp
match class-map messagelabs-class
class-map type inspect match-all visitor-proxy-class
match class-map proxy-service-class
match access-group 2
class-map type inspect match-any general-traffic-class
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol icmp
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all dhcp-access-class
match access-group 102
match class-map dhcp-service-class
class-map type inspect match-all proxy-allow-class
match class-map proxy-service-class
match access-group 103
class-map type inspect match-all icmp-access-class
match class-map icmp-class
!
!
policy-map type inspect outside-dmz-policy
class type inspect dhweb-access-class
inspect
class class-default
drop
policy-map type inspect dmz-outside-policy
class type inspect invalid-class
drop
class class-default
drop
policy-map type inspect visitor-outside-policy
class type inspect invalid-class
drop
class type inspect gre-class
pass
class type inspect visitor-proxy-class
drop
class type inspect general-traffic-class
inspect
class class-default
drop
policy-map type inspect visitor-dmz-policy
class type inspect dhcp-access-class
inspect
class class-default
drop
policy-map type inspect router-ext-access-policy
class class-default
drop
policy-map type inspect inside-outside-policy
class type inspect invalid-class
drop
class type inspect smtp-class
inspect
class type inspect gre-class
pass
class type inspect proxy-allow-class
inspect
class type inspect proxy-deny-class
drop
class type inspect general-traffic-class
inspect
class class-default
drop
policy-map type inspect outside-inside-policy
class type inspect smtp-class
inspect
class type inspect vpn-access-class
inspect
class type inspect gre-class
pass
class class-default
drop
policy-map type inspect inside-dmz-policy
class type inspect dhweb-access-class
inspect
class class-default
drop
policy-map type inspect permit-icmpreply-policy
class type inspect icmp-access-class
inspect
class class-default
pass
!
zone security inside
zone security outside
zone security dmz
zone security visitor
!
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-policy
zone-pair security outside-inside source outside destination inside
service-policy type inspect outside-inside-policy
zone-pair security inside-dmz source inside destination dmz
service-policy type inspect inside-dmz-policy
zone-pair security outside-dmz source outside destination dmz
service-policy type inspect outside-dmz-policy
zone-pair security visitor-outside source visitor destination outside
service-policy type inspect visitor-outside-policy
zone-pair security visitor-dmz source visitor destination dmz
service-policy type inspect visitor-dmz-policy
zone-pair security self-outside source self destination outside
service-policy type inspect permit-icmpreply-policy
zone-pair security outside-self source outside destination self
service-policy type inspect router-ext-access-policy
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.16.85.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no mop enabled
no mop sysid
!
!
interface GigabitEthernet0/1.300
encapsulation dot1Q 300
ip address 192.168.85.1 255.255.255.224
ip helper-address 10.0.0.2
ip policy route-map http-divert
ip nat inside
ip virtual-reassembly
zone-member security visitor
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 permit 172.16.85.0 0.0.0.255
access-list 2 permit 192.168.85.0 0.0.0.31
access-list 3 permit 10.0.0.0 0.0.0.3
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 87.85.81.56 0.0.0.7 any
access-list 101 permit ip any host 172.16.85.5
access-list 102 permit ip any host 10.0.0.2
access-list 103 permit ip host 172.16.85.17 any
access-list 104 permit tcp 192.168.85.0 0.0.0.31 any eq 80
access-list 199 permit ip any any
!
!
!
!
route-map http-divert permit 10
match ip address 104
set ip default next-hop 192.168.85.2
!
!
control-plane
!
!
!
line con 0
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
login
!
scheduler allocate 20000 1000
end
08-15-2011 02:19 AM
Ben
set ip default next-hop 192.168.85.2
means check the routing table first and if there is no route then use PBR. It's not clear from your config whether there is a useable route as you don't seem to have posted the full config.
set ip next-hop 192.168.5.2
means use PBR before checking the routing table. I suspect, although can't say for sure without seeing the routing table, that this is the one you want to use.
Jon
08-15-2011 02:29 AM
Hi,
As Jon said, please change the route-map config like below which should help to work things fine.
route-map http-divert permit 10
match ip address 104
set ip next-hop 192.168.5.2
Please rate the helpfull posts.
Regards,
Naidu.
08-15-2011 02:50 AM
Humm tried that and looking at the web server log can see no sign of activity
The results of show ip route, note that the intended web server and route-map interface are on the same subnet 192.168.85.0/27
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, GigabitEthernet0/1.400
L 10.0.0.1/32 is directly connected, GigabitEthernet0/1.400
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.85.0/24 is directly connected, GigabitEthernet0/0
L 172.16.85.254/32 is directly connected, GigabitEthernet0/0
192.168.85.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.85.0/27 is directly connected, GigabitEthernet0/1.300
L 192.168.85.1/32 is directly connected, GigabitEthernet0/1.300
08-15-2011 06:42 AM
Hi Guys, ran a debug ip policy and tried to open www.google.com on a client on the 192.168.85.0 subnet and here are the results:
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match
*Aug 15 14:31:19.312: IP: route map http-divert, item 10, permit
*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106 (GigabitEthernet0/1.300), len 52, policy routed
*Aug 15 14:31:19.312: IP: GigabitEthernet0/1.300 to GigabitEthernet0/1.300 192.168.85.2
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match
*Aug 15 14:31:22.324: IP: route map http-divert, item 10, permit
*Aug 15 14:36:21.164: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=192.168.85.
31, len 229, policy rejected -- normal forwarding
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:19.308: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match
*Aug 15 14:31:19.312: IP: route map http-divert, item 10, permit
*Aug 15 14:31:19.312: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106 (GigabitEthernet0/1.300), len 52, policy routed
*Aug 15 14:31:19.312: IP: GigabitEthernet0/1.300 to GigabitEthernet0/1.300 192.168.85.2
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:19.424: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, FIB policy match
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, PBR Counted
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, g=192.168.85.2, len 52, FIB policy routed
*Aug 15 14:31:22.324: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=209.85.146.106, len 52, policy match
*Aug 15 14:31:22.324: IP: route map http-divert, item 10, permit
I assume this indicates its working?
although just had this entry
*Aug 15 14:36:21.164: IP: s=192.168.85.4 (GigabitEthernet0/1.300), d=192.168.85.
31, len 229, policy rejected -- normal forwarding
08-16-2011 12:29 AM
Hi,
See the below thread which discussed about the same kind of issue..
Follow the suggestions may help you...
https://supportforums.cisco.com/message/117805
Please rate the helpfull posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide