03-30-2011 02:39 PM - edited 03-06-2019 04:21 PM
Hi,
I was wondering how can i redirect traffic for http from 1841 cisco router to my External Squid proxy server outside our LAN please?
Thanks,
jack
03-30-2011 03:25 PM
konddorjet wrote:
Hi,
I was wondering how can i redirect traffic for http from 1841 cisco router to my External Squid proxy server outside our LAN please?
Thanks,
jack
Jack
Do you mean redirect traffic from your LAN going to the internet to your proxy server ?
If so why not just set the proxy server in the browser settings on the client PC ?
If you can't do this you can use PBR and i'm happy to provide config example but just wanted to clarify exactly what you want.
Jon
03-30-2011 07:28 PM
Jon.
Thanks for the reply,
So i mean do redirect HTTP traffic from my LAN going to internet to our proxy server
currently we would like to have it transperent to our client pc.
Can you give me PBR config example and how can we use it ?
Thanks,
jack
03-31-2011 02:34 AM
Jack
assuming your LAN is 192.168.5.0/24 and 192.168.6.0/24
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq http
access-list 101 permit tcp 192.168.6.0 0.0.0.255 any eq http
route-map PBR permit 10
match ip address 101
set ip next-hop
then on the interface that the traffic arrives on from the LAN -
int gi0/1
ip policy route-map PBR
so int gi0/1 will be on your 1841 and will be the LAN facing interface.
Jon
03-31-2011 07:45 PM
Jon,
Thank you for your help
cant get it working, setting the proxy server ip+port in my client browser, all is working
client is using the proxy server ip address etc..
Using the PBR example above client is using the Firewall WAN IP address instead and no connection to the proxy server.
do i need the proxy port in the PBR, so the client pc will use the proxy server ip, without set it in the browser ??
please help..
my config above:
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
speed 100
full-duplex
arp timeout 1800
!
access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq www
route-map natmap permit 10
match ip address 110
!
route-map PBR permit 5
match ip address 101
set ip next-hop
Thanks,
jack
04-01-2011 12:43 AM
Jack
What is the address of the proxy server and where is it in relation the 1841 ie. which interface does the 1841 use to get to it ?
Jon
04-01-2011 08:20 AM
according to the example, The relation in the 1841 config it's here:
route-map PBR permit 5
match ip address 101
set ip next-hop 74.63.23.120
interface FastEthernet0/1 with IP NAT Outside used to route all our lan connection outside to internet and to our proxy server.
Thanks
04-01-2011 11:19 AM
So the proxy server is reached from the outside interface just as the firewall is ?
When you do a tracroute from the client do you see it hitting the firewall IP instead of the proxy.
Can you post a brief topology to show where the firewall and proy are in relation to each other ?
Jon
04-01-2011 12:22 PM
Jon,
running Cisco Model 1841 IOS Version 12.4(3d)
interface FastEthernet0/0 (internal inside network)
ip address 192.168.10.1 netmask 255.255.255.0
interface interface FastEthernet0/1 (WAN connected to ISP network)
ip address 48.29.222.134 netmask 255.255.255.252
a proxy server hosting outside in the internet company
running Linux Squid v 2.7 ip address 74.63.23.120
The proxy server is reachable setting it's ip+port on LAN client browser pc
Tracing route from the LAN client pc it's hitting the firewall interface FastEthernet0/0 192.168.10.1 gateway
i will be more they happy to provide you more information for helping up fixing our issue
appreciate your help
Thanks
jack
04-01-2011 02:07 PM
Jack
Tracing route from the LAN client pc it's hitting the firewall interface FastEthernet0/0 192.168.10.1 gateway
But that is to expected isn't it. To get to the internet you need to go via the 1841 ? Do you have a separate firewall because the above statement makes it sound like the 1841 is the firewall ?
PBR would work like this -
any traffic from your LAN would arrive at fa0/0 where you have applied PBR. The access-list in the route-map is then consulted and if it is http traffic it is sent to a different next-hop than if it is any other traffic. However this supposes that there are 2 different next-hops. PBR simply overrides the routing table, it doesn't mark the packet in anyway.
Now your proxy server is hosted on the internet. If the 1841 reaches the proxy server via the same route it reaches the rest of the internet then PBR wouldn't work because PBR only deals with the next-hop ie. the next L3 device in the path. So in this case PBR assumes 2 different paths to the internet but it sounds like you don't have that. I was assuming you hosted your proxy server between your 1841 and your firewall so instead of using the default-route from your 1841 to the firewall the PBR would instead send the packet to the proxy server first.
What you could try is, instead of
set ip next-hop
try
set ip next-hop recursive
the recursive keyword means the next-hop doesn't have to be directly connected to the 1841. I am dubious as to whether it will work though.
Jon
08-01-2011 09:14 AM
Kondy,
you can redirect http traffic to squid. BUt to redirect https traffic to Squid you need to configure SSL on squid & you can not use SQuid transparent proxy feature with Squid SSL
Please check post for more help
http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide