transparent www proxy - port forwarding with 3660

Discussion in 'Cisco' started by Enrico Gloeckner, Nov 28, 2003.

  1. I have a 3660 Router. This Router is connected to the inside Interface
    of a pix.
    Pix:
    - internal (inside) connected to Router
    - a proxy server 217.6.x.114 netmask 255.255.255.248 in
    dmz (interface dmz)
    - outside interface, connected to internet

    The Router is default Gateway for internal network (192.160.0.0).

    I would like forward http from internal network to internet over the
    proxy server (in dmz). How I can forward this connections from
    internal network (port 80) to the proxy server? The proxy does'nt
    support wcp.

    Thanks,
    Enrico
     
    Enrico Gloeckner, Nov 28, 2003
    #1
    1. Advertisements

  2. :I have a 3660 Router. This Router is connected to the inside Interface
    :eek:f a pix.

    :I would like forward http from internal network to internet over the
    :proxy server (in dmz). How I can forward this connections from
    :internal network (port 80) to the proxy server? The proxy does'nt
    :support wcp.

    You can use Policy Based Routing, provided you have 12.0(5)T or later.

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/prod_release_note09186a0080132a8d.html#290674


    The trick then would be getting the proxy to answer for everything.

    One hack that might work for this is to use a policy along with
    NAT, setting up "outside NAT" so that the NAT maps the -destination-
    as it traverses the router; the proxy would then only have to listen
    on a single IP address. Should work for HTTP/1.1 but would mess
    up HTTP/1.0 .

    If you can't do the above hack on the 3660 (or it is too
    inefficient) then you could do it on the PIX, provided you have
    6.3(3). The "outside NAT" part of it requires 6.2; something
    similar could be done with 'alias' before that. Doing the
    NAT selectively [only port 80], though, would require 6.3(3).

    PIX can NAT selectively starting in 6.3(3), but it cannot
    route that selectively yet (unless you get involved with OSPF.)
    The implication is that you wouldn't be able to just let the 3660
    pass everything through and do the redirection on the PIX,
    because the PIX can't direct -just- port 80 traffic to a different
    interface.
     
    Walter Roberson, Nov 29, 2003
    #2
    1. Advertisements

  3. Use a route-map on the 3660 to forward port 80 to the PIX/proxy.

    http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5

    alan
     
    Alan Strassberg, Nov 29, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.