How to redirect HTTP Lan traffic to a proxy server from 1841

konddorjet · ‎03-30-2011

Hi,

I was wondering how can i redirect traffic for http from 1841 cisco router to my External Squid proxy server outside our LAN please?

Thanks,

jack

Jon Marshall · ‎03-30-2011

konddorjet wrote:

Hi,

I was wondering how can i redirect traffic for http from 1841 cisco router to my External Squid proxy server outside our LAN please?

Thanks,

jack

Jack

Do you mean redirect traffic from your LAN going to the internet to your proxy server ?

If so why not just set the proxy server in the browser settings on the client PC ?

If you can't do this you can use PBR and i'm happy to provide config example but just wanted to clarify exactly what you want.

Jon

konddorjet · ‎03-30-2011

Jon.

Thanks for the reply,

So i mean do redirect HTTP traffic from my LAN going to internet to our proxy server

currently we would like to have it transperent to our client pc.

Can you give me PBR config example and how can we use it ?

Thanks,

jack

Jon Marshall · ‎03-31-2011

Jack

assuming your LAN is 192.168.5.0/24 and 192.168.6.0/24

access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq http

access-list 101 permit tcp 192.168.6.0 0.0.0.255 any eq http

route-map PBR permit 10

match ip address 101

set ip next-hop

then on the interface that the traffic arrives on from the LAN -

int gi0/1

ip policy route-map PBR

so int gi0/1 will be on your 1841 and will be the LAN facing interface.

Jon

konddorjet · ‎03-31-2011

Jon,

Thank you for your help

cant get it working, setting the proxy server ip+port in my client browser, all is working

client is using the proxy server ip address etc..

Using the PBR example above client is using the Firewall WAN IP address instead and no connection to the proxy server.

do i need the proxy port in the PBR, so the client pc will use the proxy server ip, without set it in the browser ??

please help..

my config above:

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map PBR

speed 100

full-duplex

arp timeout 1800

!

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq www

route-map natmap permit 10

match ip address 110

!

route-map PBR permit 5

match ip address 101

set ip next-hop

Thanks,

jack

Jon Marshall · ‎04-01-2011

Jack

What is the address of the proxy server and where is it in relation the 1841 ie. which interface does the 1841 use to get to it ?

Jon

konddorjet · ‎04-01-2011

according to the example, The relation in the 1841 config it's here:

route-map PBR permit 5

match ip address 101

set ip next-hop 74.63.23.120

interface FastEthernet0/1 with IP NAT Outside used to route all our lan connection outside to internet and to our proxy server.

Thanks

Jon Marshall · ‎04-01-2011

So the proxy server is reached from the outside interface just as the firewall is ?

When you do a tracroute from the client do you see it hitting the firewall IP instead of the proxy.

Can you post a brief topology to show where the firewall and proy are in relation to each other ?

Jon

konddorjet · ‎04-01-2011

Jon,

running Cisco Model 1841 IOS Version 12.4(3d)

interface FastEthernet0/0 (internal inside network)

ip address 192.168.10.1 netmask 255.255.255.0

interface interface FastEthernet0/1 (WAN connected to ISP network)

ip address 48.29.222.134 netmask 255.255.255.252

a proxy server hosting outside in the internet company

running Linux Squid v 2.7 ip address 74.63.23.120

The proxy server is reachable setting it's ip+port on LAN client browser pc

Tracing route from the LAN client pc it's hitting the firewall interface FastEthernet0/0 192.168.10.1 gateway

i will be more they happy to provide you more information for helping up fixing our issue

appreciate your help

Thanks

jack

Jon Marshall · ‎04-01-2011

Jack

Tracing route from the LAN client pc it's hitting the firewall interface FastEthernet0/0 192.168.10.1 gateway

But that is to expected isn't it. To get to the internet you need to go via the 1841 ? Do you have a separate firewall because the above statement makes it sound like the 1841 is the firewall ?

PBR would work like this -

any traffic from your LAN would arrive at fa0/0 where you have applied PBR. The access-list in the route-map is then consulted and if it is http traffic it is sent to a different next-hop than if it is any other traffic. However this supposes that there are 2 different next-hops. PBR simply overrides the routing table, it doesn't mark the packet in anyway.

Now your proxy server is hosted on the internet. If the 1841 reaches the proxy server via the same route it reaches the rest of the internet then PBR wouldn't work because PBR only deals with the next-hop ie. the next L3 device in the path. So in this case PBR assumes 2 different paths to the internet but it sounds like you don't have that. I was assuming you hosted your proxy server between your 1841 and your firewall so instead of using the default-route from your 1841 to the firewall the PBR would instead send the packet to the proxy server first.

What you could try is, instead of

set ip next-hop

try

set ip next-hop recursive

the recursive keyword means the next-hop doesn't have to be directly connected to the 1841. I am dubious as to whether it will work though.

Jon

ssantosh1978 · ‎08-01-2011

Kondy,

you can redirect http traffic to squid. BUt to redirect https traffic to Squid you need to configure SSL on squid & you can not use SQuid transparent proxy feature with Squid SSL

Please check post for more help

http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html