Redirecting all Outgoing http traffic to an internal Web server

Discussion in 'Cisco' started by r_elder@yahoo.com, Mar 27, 2007.

  1. Guest

    I want to be able to redirect all outbound web traffic (except the
    proxy address) to an internal web server from the Pix 525 firewall.
    So the end result will be if a internal user tries to bypass the
    proxy, the firewall will forward them to a web server saying the proxy
    is not configured and to contact IS.

    Thanks in advanced.
    , Mar 27, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I want to be able to redirect all outbound web traffic (except the
    >proxy address) to an internal web server from the Pix 525 firewall.
    >So the end result will be if a internal user tries to bypass the
    >proxy, the firewall will forward them to a web server saying the proxy
    >is not configured and to contact IS.


    You can't do that with PIX 6.x, at least not without purchasing
    WebSense or N2H2 . I don't know if it could be done with PIX 7.x.


    Hmmm, one trick that just might work with PIX 6 is to configure
    authentication requirements for traffic on outbound port 80 except
    from your proxy server, with the RADIUS server just refusing
    to authenticate and using a reply message that told the user
    to contact your IS.

    Here's a site that has a FreeRadius and
    PIX configuration sample you could adapt; it isn't designed exactly
    for what you are looking for, but it should give a good starting point.

    http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
    Walter Roberson, Mar 27, 2007
    #2
    1. Advertising

  3. Usually if people want to enforce Proxy server, they just disable users
    access to HTTP Port. If you allow only Proxy server to go to web pages, then
    users will have no choice to use Proxy.

    Good luck,

    Mike
    CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
    Checkpoint CCSA, etc.
    ------
    Headset Adapters for Cisco IP Phones
    www.ciscoheadsetadapter.com


    <> wrote in message
    news:...
    >I want to be able to redirect all outbound web traffic (except the
    > proxy address) to an internal web server from the Pix 525 firewall.
    > So the end result will be if a internal user tries to bypass the
    > proxy, the firewall will forward them to a web server saying the proxy
    > is not configured and to contact IS.
    >
    > Thanks in advanced.
    >
    headsetadapter.com, Mar 28, 2007
    #3
  4. Guest

    On Mar 27, 9:47 pm, "headsetadapter.com" <> wrote:
    > Usually if people want to enforce Proxy server, they just disable users
    > access to HTTP Port. If you allow only Proxy server to go to web pages, then
    > users will have no choice to use Proxy.
    >
    > Good luck,
    >
    > Mike
    > CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
    > Checkpoint CCSA, etc.
    > ------
    > Headset Adapters for Cisco IP Phoneswww.ciscoheadsetadapter.com
    >
    > <> wrote in message
    >
    > news:...
    >
    > >I want to be able to redirect all outbound web traffic (except the
    > > proxy address) to an internal web server from the Pix 525 firewall.
    > > So the end result will be if a internal user tries to bypass the
    > > proxy, the firewall will forward them to a web server saying the proxy
    > > is not configured and to contact IS.

    >
    > > Thanks in advanced.


    I know I can turn off port 80 at any time for everything but the
    proxy, but what I was trying to do is let the users know that the
    "Internet is not broken", you just need to get setup with the proxy,
    or as a reminder to people who have been going around the proxy that
    they need to use it.

    Thanks,
    , Mar 29, 2007
    #4
  5. MC Guest

    wrote:
    > On Mar 27, 9:47 pm, "headsetadapter.com" <> wrote:
    >> Usually if people want to enforce Proxy server, they just disable users
    >> access to HTTP Port. If you allow only Proxy server to go to web pages, then
    >> users will have no choice to use Proxy.
    >>
    >> Good luck,
    >>
    >> Mike
    >> CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA,
    >> Checkpoint CCSA, etc.
    >> ------
    >> Headset Adapters for Cisco IP Phoneswww.ciscoheadsetadapter.com
    >>
    >> <> wrote in message
    >>
    >> news:...
    >>
    >>> I want to be able to redirect all outbound web traffic (except the
    >>> proxy address) to an internal web server from the Pix 525 firewall.
    >>> So the end result will be if a internal user tries to bypass the
    >>> proxy, the firewall will forward them to a web server saying the proxy
    >>> is not configured and to contact IS.
    >>> Thanks in advanced.

    >
    > I know I can turn off port 80 at any time for everything but the
    > proxy, but what I was trying to do is let the users know that the
    > "Internet is not broken", you just need to get setup with the proxy,
    > or as a reminder to people who have been going around the proxy that
    > they need to use it.
    >
    > Thanks,
    >

    There may be a way to use PAT (port address translation)
    Would have port 80 PAT to other port, like 8080 on the WEB server.
    PAT would reference an ACL that would except all but the proxy IP
    Not sure if this will would work like you want.
    MC, Mar 30, 2007
    #5
  6. In article <>, MC <> wrote:
    > wrote:
    >>> <> wrote in message
    >>> news:...


    >>>> I want to be able to redirect all outbound web traffic (except the
    >>>> proxy address) to an internal web server from the Pix 525 firewall.
    >>>> So the end result will be if a internal user tries to bypass the
    >>>> proxy, the firewall will forward them to a web server saying the proxy
    >>>> is not configured and to contact IS.


    >There may be a way to use PAT (port address translation)
    >Would have port 80 PAT to other port, like 8080 on the WEB server.
    >PAT would reference an ACL that would except all but the proxy IP
    >Not sure if this will would work like you want.


    No, that won't work on a PIX or ASA.

    When you configure a translation, you have to configure
    a mask for the destination to be matched. When the translation
    is activated, the actual destination is masked with that mask to
    find the host offset within the network, and that same host offset
    is used relative to the address to be translated to. For example,
    if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
    and the actual address was 192.168.56.42 then the 192.168.56.0
    part would be masked off, giving an offset of 0.0.0.42, which would
    be added to the target destination 33.44.55.0 to give a final
    destination of 33.44.55.42 .

    Now, because you want to match port 80 "everywhere", you would be
    using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
    And any IP address masked with 0.0.0.0 is going to have a host
    offset equal to the address itself unchanged. So whatever target
    address you'd specified for the translation would have the original
    IP address added to produce the translated IP. That's not going
    to do you much good.


    If the PIX 525 is running 6.x, there isn't any way to do with
    the original poster wants without using Websense or N2H2, or
    possibly the trick I mentioned in a posting the other day
    of using url filter combined with a non-existant radius host.

    If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
    is supported, and the traffic could be redirected to a server
    configured for WCCP.

    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/uz_711.htm#wp1416115
    Walter Roberson, Mar 30, 2007
    #6
  7. ciscosec Guest

    Dears,

    If you have a layer 3 that is going to forward the traffic to your
    pix, you can better configure a policy based route on your L3 saying
    that any traffic or traffic from specific vlans on port 80 or port
    8080 (depending on whats your proxy port) be forwarded to the proxy ip
    which could be in another vlan. This is the easiest.

    So that even if users dont configure proxy, they would be forced to
    use proxy to surf which means they cannot bypass proxy.

    For this to be effective, there should be a single team managing both
    L3 and pix.

    I hope this is what you are looking for.

    On Mar 30, 8:04 am, (Walter Roberson) wrote:
    > In article <>, MC <> wrote:
    > > wrote:
    > >>> <> wrote in message
    > >>>news:...
    > >>>> I want to be able to redirect all outbound web traffic (except the
    > >>>> proxy address) to an internal web server from the Pix 525 firewall.
    > >>>> So the end result will be if a internal user tries to bypass the
    > >>>> proxy, the firewall will forward them to a web server saying the proxy
    > >>>> is not configured and to contact IS.

    > >There may be a way to use PAT (port address translation)
    > >Would have port 80 PAT to other port, like 8080 on the WEB server.
    > >PAT would reference an ACL that would except all but the proxy IP
    > >Not sure if this will would work like you want.

    >
    > No, that won't work on a PIX or ASA.
    >
    > When you configure a translation, you have to configure
    > a mask for the destination to be matched. When the translation
    > is activated, the actual destination is masked with that mask to
    > find the host offset within the network, and that same host offset
    > is used relative to the address to be translated to. For example,
    > if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
    > and the actual address was 192.168.56.42 then the 192.168.56.0
    > part would be masked off, giving an offset of 0.0.0.42, which would
    > be added to the target destination 33.44.55.0 to give a final
    > destination of 33.44.55.42 .
    >
    > Now, because you want to match port 80 "everywhere", you would be
    > using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
    > And any IP address masked with 0.0.0.0 is going to have a host
    > offset equal to the address itself unchanged. So whatever target
    > address you'd specified for the translation would have the original
    > IP address added to produce the translated IP. That's not going
    > to do you much good.
    >
    > If the PIX 525 is running 6.x, there isn't any way to do with
    > the original poster wants without using Websense or N2H2, or
    > possibly the trick I mentioned in a posting the other day
    > of using url filter combined with a non-existant radius host.
    >
    > If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
    > is supported, and the traffic could be redirected to a server
    > configured for WCCP.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2...
    ciscosec, Mar 30, 2007
    #7
  8. On Mar 30, 7:44 am, "ciscosec" <> wrote:
    > Dears,
    >
    > If you have a layer 3 that is going to forward the traffic to your
    > pix, you can better configure a policy based route on your L3 saying
    > that any traffic or traffic from specific vlans on port 80 or port
    > 8080 (depending on whats your proxy port) be forwarded to the proxy ip
    > which could be in another vlan. This is the easiest.
    >
    > So that even if users dont configure proxy, they would be forced to
    > use proxy to surf which means they cannot bypass proxy.
    >
    > For this to be effective, there should be a single team managing both
    > L3 and pix.
    >
    > I hope this is what you are looking for.
    >
    > On Mar 30, 8:04 am, (Walter Roberson) wrote:
    >
    >
    >
    > > In article <>, MC <> wrote:
    > > > wrote:
    > > >>> <> wrote in message
    > > >>>news:...
    > > >>>> I want to be able to redirect all outbound web traffic (except the
    > > >>>> proxy address) to an internal web server from the Pix 525 firewall.
    > > >>>> So the end result will be if a internal user tries to bypass the
    > > >>>> proxy, the firewall will forward them to a web server saying the proxy
    > > >>>> is not configured and to contact IS.
    > > >There may be a way to use PAT (port address translation)
    > > >Would have port 80 PAT to other port, like 8080 on the WEB server.
    > > >PAT would reference an ACL that would except all but the proxy IP
    > > >Not sure if this will would work like you want.

    >
    > > No, that won't work on a PIX or ASA.

    >
    > > When you configure a translation, you have to configure
    > > a mask for the destination to be matched. When the translation
    > > is activated, the actual destination is masked with that mask to
    > > find the host offset within the network, and that same host offset
    > > is used relative to the address to be translated to. For example,
    > > if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
    > > and the actual address was 192.168.56.42 then the 192.168.56.0
    > > part would be masked off, giving an offset of 0.0.0.42, which would
    > > be added to the target destination 33.44.55.0 to give a final
    > > destination of 33.44.55.42 .

    >
    > > Now, because you want to match port 80 "everywhere", you would be
    > > using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
    > > And any IP address masked with 0.0.0.0 is going to have a host
    > > offset equal to the address itself unchanged. So whatever target
    > > address you'd specified for the translation would have the original
    > > IP address added to produce the translated IP. That's not going
    > > to do you much good.

    >
    > > If the PIX 525 is running 6.x, there isn't any way to do with
    > > the original poster wants without using Websense or N2H2, or
    > > possibly the trick I mentioned in a posting the other day
    > > of using url filter combined with a non-existant radius host.

    >
    > > If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
    > > is supported, and the traffic could be redirected to a server
    > > configured for WCCP.

    >
    > >http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2...- Hide quoted text -

    >
    > - Show quoted text -


    We do the same thing at where I work. All we do is block www traffic
    by all hosts except the proxy server. Then for configuring, we put it
    in login scripts (I assume you have windows clients) that set the
    proxy ip address and port. If you have random 'outside' clients, then
    you'll have to look for something more dynamic. I know you can do
    redirects with a linux firewall, but I assume you're looking for the
    cisco solution.

    Good luck,

    Aaron
    Mysticmoose06, Mar 30, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CybrSage

    Redirecting all WWW traffic

    CybrSage, Jul 18, 2003, in forum: Cisco
    Replies:
    7
    Views:
    1,750
    CybrSage
    Jul 19, 2003
  2. Sean
    Replies:
    2
    Views:
    1,529
    S. Gione
    Feb 27, 2004
  3. Tim Mavers
    Replies:
    3
    Views:
    12,667
    Chad Mahoney
    Apr 13, 2004
  4. eric the brave
    Replies:
    0
    Views:
    1,038
    eric the brave
    Mar 5, 2006
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,056
    milan_9211
    Jan 10, 2011
Loading...

Share This Page