Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Redirecting all Outgoing http traffic to an internal Web server

Reply
Thread Tools

Redirecting all Outgoing http traffic to an internal Web server

 
 
r_elder@yahoo.com
Guest
Posts: n/a
 
      03-27-2007
I want to be able to redirect all outbound web traffic (except the
proxy address) to an internal web server from the Pix 525 firewall.
So the end result will be if a internal user tries to bypass the
proxy, the firewall will forward them to a web server saying the proxy
is not configured and to contact IS.

Thanks in advanced.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      03-27-2007
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>I want to be able to redirect all outbound web traffic (except the
>proxy address) to an internal web server from the Pix 525 firewall.
>So the end result will be if a internal user tries to bypass the
>proxy, the firewall will forward them to a web server saying the proxy
>is not configured and to contact IS.


You can't do that with PIX 6.x, at least not without purchasing
WebSense or N2H2 . I don't know if it could be done with PIX 7.x.


Hmmm, one trick that just might work with PIX 6 is to configure
authentication requirements for traffic on outbound port 80 except
from your proxy server, with the RADIUS server just refusing
to authenticate and using a reply message that told the user
to contact your IS.

Here's a site that has a FreeRadius and
PIX configuration sample you could adapt; it isn't designed exactly
for what you are looking for, but it should give a good starting point.

http://www.gbnetwork.co.uk/networkin...vpnradius.html
 
Reply With Quote
 
 
 
 
headsetadapter.com
Guest
Posts: n/a
 
      03-28-2007
Usually if people want to enforce Proxy server, they just disable users
access to HTTP Port. If you allow only Proxy server to go to web pages, then
users will have no choice to use Proxy.

Good luck,

Mike
CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
Checkpoint CCSA, etc.
------
Headset Adapters for Cisco IP Phones
www.ciscoheadsetadapter.com


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I want to be able to redirect all outbound web traffic (except the
> proxy address) to an internal web server from the Pix 525 firewall.
> So the end result will be if a internal user tries to bypass the
> proxy, the firewall will forward them to a web server saying the proxy
> is not configured and to contact IS.
>
> Thanks in advanced.
>



 
Reply With Quote
 
r_elder@yahoo.com
Guest
Posts: n/a
 
      03-29-2007
On Mar 27, 9:47 pm, "headsetadapter.com" <(E-Mail Removed)> wrote:
> Usually if people want to enforce Proxy server, they just disable users
> access to HTTP Port. If you allow only Proxy server to go to web pages, then
> users will have no choice to use Proxy.
>
> Good luck,
>
> Mike
> CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
> Checkpoint CCSA, etc.
> ------
> Headset Adapters for Cisco IP Phoneswww.ciscoheadsetadapter.com
>
> <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> >I want to be able to redirect all outbound web traffic (except the
> > proxy address) to an internal web server from the Pix 525 firewall.
> > So the end result will be if a internal user tries to bypass the
> > proxy, the firewall will forward them to a web server saying the proxy
> > is not configured and to contact IS.

>
> > Thanks in advanced.


I know I can turn off port 80 at any time for everything but the
proxy, but what I was trying to do is let the users know that the
"Internet is not broken", you just need to get setup with the proxy,
or as a reminder to people who have been going around the proxy that
they need to use it.

Thanks,

 
Reply With Quote
 
MC
Guest
Posts: n/a
 
      03-30-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> On Mar 27, 9:47 pm, "headsetadapter.com" <(E-Mail Removed)> wrote:
>> Usually if people want to enforce Proxy server, they just disable users
>> access to HTTP Port. If you allow only Proxy server to go to web pages, then
>> users will have no choice to use Proxy.
>>
>> Good luck,
>>
>> Mike
>> CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
>> Checkpoint CCSA, etc.
>> ------
>> Headset Adapters for Cisco IP Phoneswww.ciscoheadsetadapter.com
>>
>> <(E-Mail Removed)> wrote in message
>>
>> news:(E-Mail Removed) oups.com...
>>
>>> I want to be able to redirect all outbound web traffic (except the
>>> proxy address) to an internal web server from the Pix 525 firewall.
>>> So the end result will be if a internal user tries to bypass the
>>> proxy, the firewall will forward them to a web server saying the proxy
>>> is not configured and to contact IS.
>>> Thanks in advanced.

>
> I know I can turn off port 80 at any time for everything but the
> proxy, but what I was trying to do is let the users know that the
> "Internet is not broken", you just need to get setup with the proxy,
> or as a reminder to people who have been going around the proxy that
> they need to use it.
>
> Thanks,
>

There may be a way to use PAT (port address translation)
Would have port 80 PAT to other port, like 8080 on the WEB server.
PAT would reference an ACL that would except all but the proxy IP
Not sure if this will would work like you want.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-30-2007
In article <(E-Mail Removed)>, MC <(E-Mail Removed)> wrote:
>(E-Mail Removed) wrote:
>>> <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed) oups.com...


>>>> I want to be able to redirect all outbound web traffic (except the
>>>> proxy address) to an internal web server from the Pix 525 firewall.
>>>> So the end result will be if a internal user tries to bypass the
>>>> proxy, the firewall will forward them to a web server saying the proxy
>>>> is not configured and to contact IS.


>There may be a way to use PAT (port address translation)
>Would have port 80 PAT to other port, like 8080 on the WEB server.
>PAT would reference an ACL that would except all but the proxy IP
>Not sure if this will would work like you want.


No, that won't work on a PIX or ASA.

When you configure a translation, you have to configure
a mask for the destination to be matched. When the translation
is activated, the actual destination is masked with that mask to
find the host offset within the network, and that same host offset
is used relative to the address to be translated to. For example,
if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
and the actual address was 192.168.56.42 then the 192.168.56.0
part would be masked off, giving an offset of 0.0.0.42, which would
be added to the target destination 33.44.55.0 to give a final
destination of 33.44.55.42 .

Now, because you want to match port 80 "everywhere", you would be
using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
And any IP address masked with 0.0.0.0 is going to have a host
offset equal to the address itself unchanged. So whatever target
address you'd specified for the translation would have the original
IP address added to produce the translated IP. That's not going
to do you much good.


If the PIX 525 is running 6.x, there isn't any way to do with
the original poster wants without using Websense or N2H2, or
possibly the trick I mentioned in a posting the other day
of using url filter combined with a non-existant radius host.

If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
is supported, and the traffic could be redirected to a server
configured for WCCP.

http://www.cisco.com/univercd/cc/td/....htm#wp1416115

 
Reply With Quote
 
ciscosec
Guest
Posts: n/a
 
      03-30-2007
Dears,

If you have a layer 3 that is going to forward the traffic to your
pix, you can better configure a policy based route on your L3 saying
that any traffic or traffic from specific vlans on port 80 or port
8080 (depending on whats your proxy port) be forwarded to the proxy ip
which could be in another vlan. This is the easiest.

So that even if users dont configure proxy, they would be forced to
use proxy to surf which means they cannot bypass proxy.

For this to be effective, there should be a single team managing both
L3 and pix.

I hope this is what you are looking for.

On Mar 30, 8:04 am, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed)>, MC <(E-Mail Removed)> wrote:
> >(E-Mail Removed) wrote:
> >>> <(E-Mail Removed)> wrote in message
> >>>news:(E-Mail Removed) egroups.com...
> >>>> I want to be able to redirect all outbound web traffic (except the
> >>>> proxy address) to an internal web server from the Pix 525 firewall.
> >>>> So the end result will be if a internal user tries to bypass the
> >>>> proxy, the firewall will forward them to a web server saying the proxy
> >>>> is not configured and to contact IS.

> >There may be a way to use PAT (port address translation)
> >Would have port 80 PAT to other port, like 8080 on the WEB server.
> >PAT would reference an ACL that would except all but the proxy IP
> >Not sure if this will would work like you want.

>
> No, that won't work on a PIX or ASA.
>
> When you configure a translation, you have to configure
> a mask for the destination to be matched. When the translation
> is activated, the actual destination is masked with that mask to
> find the host offset within the network, and that same host offset
> is used relative to the address to be translated to. For example,
> if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
> and the actual address was 192.168.56.42 then the 192.168.56.0
> part would be masked off, giving an offset of 0.0.0.42, which would
> be added to the target destination 33.44.55.0 to give a final
> destination of 33.44.55.42 .
>
> Now, because you want to match port 80 "everywhere", you would be
> using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
> And any IP address masked with 0.0.0.0 is going to have a host
> offset equal to the address itself unchanged. So whatever target
> address you'd specified for the translation would have the original
> IP address added to produce the translated IP. That's not going
> to do you much good.
>
> If the PIX 525 is running 6.x, there isn't any way to do with
> the original poster wants without using Websense or N2H2, or
> possibly the trick I mentioned in a posting the other day
> of using url filter combined with a non-existant radius host.
>
> If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
> is supported, and the traffic could be redirected to a server
> configured for WCCP.
>
> http://www.cisco.com/univercd/cc/td/...c/asa_sw/v_7_2...



 
Reply With Quote
 
Mysticmoose06
Guest
Posts: n/a
 
      03-30-2007
On Mar 30, 7:44 am, "ciscosec" <(E-Mail Removed)> wrote:
> Dears,
>
> If you have a layer 3 that is going to forward the traffic to your
> pix, you can better configure a policy based route on your L3 saying
> that any traffic or traffic from specific vlans on port 80 or port
> 8080 (depending on whats your proxy port) be forwarded to the proxy ip
> which could be in another vlan. This is the easiest.
>
> So that even if users dont configure proxy, they would be forced to
> use proxy to surf which means they cannot bypass proxy.
>
> For this to be effective, there should be a single team managing both
> L3 and pix.
>
> I hope this is what you are looking for.
>
> On Mar 30, 8:04 am, (E-Mail Removed) (Walter Roberson) wrote:
>
>
>
> > In article <(E-Mail Removed)>, MC <(E-Mail Removed)> wrote:
> > >(E-Mail Removed) wrote:
> > >>> <(E-Mail Removed)> wrote in message
> > >>>news:(E-Mail Removed) egroups.com...
> > >>>> I want to be able to redirect all outbound web traffic (except the
> > >>>> proxy address) to an internal web server from the Pix 525 firewall.
> > >>>> So the end result will be if a internal user tries to bypass the
> > >>>> proxy, the firewall will forward them to a web server saying the proxy
> > >>>> is not configured and to contact IS.
> > >There may be a way to use PAT (port address translation)
> > >Would have port 80 PAT to other port, like 8080 on the WEB server.
> > >PAT would reference an ACL that would except all but the proxy IP
> > >Not sure if this will would work like you want.

>
> > No, that won't work on a PIX or ASA.

>
> > When you configure a translation, you have to configure
> > a mask for the destination to be matched. When the translation
> > is activated, the actual destination is masked with that mask to
> > find the host offset within the network, and that same host offset
> > is used relative to the address to be translated to. For example,
> > if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
> > and the actual address was 192.168.56.42 then the 192.168.56.0
> > part would be masked off, giving an offset of 0.0.0.42, which would
> > be added to the target destination 33.44.55.0 to give a final
> > destination of 33.44.55.42 .

>
> > Now, because you want to match port 80 "everywhere", you would be
> > using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
> > And any IP address masked with 0.0.0.0 is going to have a host
> > offset equal to the address itself unchanged. So whatever target
> > address you'd specified for the translation would have the original
> > IP address added to produce the translated IP. That's not going
> > to do you much good.

>
> > If the PIX 525 is running 6.x, there isn't any way to do with
> > the original poster wants without using Websense or N2H2, or
> > possibly the trick I mentioned in a posting the other day
> > of using url filter combined with a non-existant radius host.

>
> > If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
> > is supported, and the traffic could be redirected to a server
> > configured for WCCP.

>
> >http://www.cisco.com/univercd/cc/td/...a_sw/v_7_2...- Hide quoted text -

>
> - Show quoted text -


We do the same thing at where I work. All we do is block www traffic
by all hosts except the proxy server. Then for configuring, we put it
in login scripts (I assume you have windows clients) that set the
proxy ip address and port. If you have random 'outside' clients, then
you'll have to look for something more dynamic. I know you can do
redirects with a linux firewall, but I assume you're looking for the
cisco solution.

Good luck,

Aaron

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The Web server reported the following error when attempting to create or open the Web project located at the following URL: 'http://localhost/822319ev1'. 'HTTP/1.1 500 Internal Server Error'. chanmm ASP .Net 2 09-07-2010 07:37 AM
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
837. Unable to see internal web server from internal server. eric the brave Cisco 0 03-05-2006 01:52 PM
Redirecting HTTP traffic based on host-header (or URL request) Tim Mavers Cisco 3 04-13-2004 06:31 PM
PIX firewall and outgoing web requests to an internal server Sean Cisco 2 02-27-2004 12:42 AM



Advertisments