«

Hello,

Can someone answer the following question:

Is it possible to use the PIX to redirect packets to a transparent
proxy? This is possible on an IOS router with WCCP, but I haven't
found the possibility to configure this on a PIX.

I know it is not possible to send traffic out the same interface, but
since the proxy is in the same network, I was hoping there might be a
possibility to do this.

Thanks in advance.


With kind regards,

Ikke Mij

"Patrick" <> wrote in message
news: m...
> Hello,
>
> Can someone answer the following question:
>
> Is it possible to use the PIX to redirect packets to a transparent
> proxy? This is possible on an IOS router with WCCP, but I haven't
> found the possibility to configure this on a PIX.
>
> I know it is not possible to send traffic out the same interface, but
> since the proxy is in the same network, I was hoping there might be a
> possibility to do this.
>

No, Definately no WCCP support in the pix, It would be a nice thing to see
in the future and I do not see any WCCP support appearing 2004 either. It
would be nice to see WCCP appear in the PIX for sites who do not need a
router

In article <bspvlc$80va$>,
Hugo Drax <> wrote:

:"Patrick" <> wrote in message
:news: om...
:> Is it possible to use the PIX to redirect packets to a transparent
:> proxy? This is possible on an IOS router with WCCP, but I haven't
:> found the possibility to configure this on a PIX.

:> I know it is not possible to send traffic out the same interface, but
:> since the proxy is in the same network, I was hoping there might be a
:> possibility to do this.

:No, Definately no WCCP support in the pix,

Adding to Hugo's answer:

You say "since the proxy is on the same network, I was hoping there
might be a possibility", but that's just it: the inability to send on
the same network is fundamental, so the fact that the proxy is on the
same network would render it impossible for the current PIX design.

In 6.3(3), if your proxy were on a -different- interface, you
could get closer, by using policy nat in conjunction with
outside nat: you could do something like:

access-list outgoing-http permit tcp INSIDE-NET INSIDE-NETMASK any eq http
static (outside, inside) PROXY-IP access-list outgoing-http

(You might have to reverse the order in the access-list.)

However, you can't use policy nat to force traffic into a different
interface because routing is done before NAT, so you could at best
use this method if your proxy were on the same interface as the
traffic would have gone to without the static.

I am also concerned about the clause in
http://www.cisco.com/univercd/cc/td/.../s.htm#1026694
that says, in the description of the access-list parameter:

The subnet mask used in the access-list is also used for the
global_ip.

Urrr, *which* subnet mask in the access-list? Since I'm matching
a global destination, 'any', does that mean that it would attempt
to use a 0.0.0.0 netmask for PROXY-IP ?? (Grrr, I need that testbed
PIX!)
--
"Infinity is like a stuffed walrus I can hold in the palm of my hand.
Don't do anything with infinity you wouldn't do with a stuffed walrus."
-- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.

On Mon, 29 Dec 2003 14:56:50 -0600, Walter Roberson wrote:

> In article <bspvlc$80va$>, Hugo Drax
> <> wrote:
>
> :"Patrick" <> wrote in message
> :news: om... :> Is it
> possible to use the PIX to redirect packets to a transparent :> proxy?
> This is possible on an IOS router with WCCP, but I haven't :> found the
> possibility to configure this on a PIX.
>
> :> I know it is not possible to send traffic out the same interface, but
> :> since the proxy is in the same network, I was hoping there might be a
> :> possibility to do this.
>
> :No, Definately no WCCP support in the pix,
>
> Adding to Hugo's answer:
>
> You say "since the proxy is on the same network, I was hoping there
> might be a possibility", but that's just it: the inability to send on
> the same network is fundamental, so the fact that the proxy is on the
> same network would render it impossible for the current PIX design.
>

To add further. When using WCCP the CE is fine on the same subnet as the
client, as the WCCP router will make the request on the clients behalf and
the CE will respond directly to the client. If the CE was on the DMZ for
example, the pix would deny the response as the CE spoofs the reply and
the pix will have no existing connection for it. So in a WCCP
environment, the CE is good on the client subnet, or whatever subnet the
WCCP router is on.

Rik