Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...Thanks! Awesome group. I put out a simple question in the access/vba forum that I couldn't find answered on technet or anywhere else on the web and it was answered the same day!!..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > Communications Rack > Networking > Cisco: Routers Forum

Routing port 80 & 443 to web filter

thread557-1689651
Read More Threads Like This One
Robbie0923 (TechnicalUser)
31 Jul 12 20:00
I have recently been given the task of installing a web filter on our network to monitor and eventually filter some of the web browsing done in my network. I have a Cisco 2911 router and a Sophos Web Filter appliance. I have the web appliance installed and it looks like I have some traffic being monitored, but not all. The configuration of my router is as follows:

interface GigabitEthernet0/0
description Beorne
ip address 10.2.16.5 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description BHN_OUTSIDE
ip address 97.78.226.35 255.255.255.224
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 172.16.22.1 255.255.255.224
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description AdmNet_Trunk
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description IT_AdmNet
switchport access vlan 4
switchport mode trunk
no ip address
!
interface Vlan1
description Vlan1_AdmNet
ip address 10.2.9.1 255.255.252.0
ip helper-address 10.2.9.14
ip helper-address 172.16.22.2
ip helper-address 10.2.9.12
ip helper-address 10.2.9.13
ip helper-address 10.2.9.15
ip helper-address 10.2.13.2
ip helper-address 97.78.226.33
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Vlan4_IT_AdmNet
ip address 10.2.13.1 255.255.252.0
ip helper-address 10.2.9.14
ip helper-address 97.78.226.33
ip helper-address 172.16.22.2
ip helper-address 10.2.9.12
ip helper-address 10.2.9.13
ip helper-address 10.2.9.15
ip helper-address 10.2.13.2
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 172.16.22.0 0.0.0.255
redistribute connected
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat pool NATADDR 97.78.226.35 97.78.226.35 netmask 255.255.255.224
ip nat inside source list 122 pool NATADDR overload
ip nat inside source route-map NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.2.9.12 25 97.78.226.34 25 extendable
ip nat inside source static tcp 10.2.9.12 80 97.78.226.34 80 extendable
ip nat inside source static tcp 10.2.9.12 443 97.78.226.34 443 extendable
ip route 0.0.0.0 0.0.0.0 97.78.226.33
!
ip access-list extended SJR_Inside
permit ip 10.2.8.0 0.0.3.255 10.2.0.0 0.0.3.255
permit ip 10.2.8.0 0.0.3.255 10.2.12.0 0.0.3.255
permit ip 10.2.8.0 0.0.3.255 10.2.4.0 0.0.3.255
!
access-list 122 permit ip host 10.2.9.12 any
access-list 122 deny tcp any any eq smtp
access-list 122 deny tcp any any eq 137
access-list 122 deny tcp any any eq 135
access-list 122 permit ip 10.2.0.0 0.0.3.255 any
access-list 122 permit ip 10.2.4.0 0.0.3.255 any
access-list 122 permit ip 10.2.8.0 0.0.3.255 any
access-list 122 permit ip 10.2.12.0 0.0.3.255 any
access-list 122 permit ip 10.2.1.0 0.0.0.255 any
access-list 122 permit ip 10.4.1.0 0.0.0.255 any
access-list 150 permit ip any any
!
route-map NAT permit 10
match policy-list 150
!

This was configured prior to my coming into the job. Have a wireless back haul and two other networks that are going through BHN_Outside port for the internet. Am trying to get all port 80 and 443 traffic routed through the web filter that is setup on the network.

Any help is welcomed.
Robbie0923 (TechnicalUser)
31 Jul 12 20:05
Web filter is setup on network as IP 10.2.9.10 SNM 255.255.240.0 Gate 10.2.9.1 DNS 10.2.9.14. Appliance is connected to switch that holds all traffic in the building.
disturbedone (Vendor)
1 Aug 12 1:10
This is what I needed to do to get this to work. We have a Catalyst 4507 at our core and it has the following config:

CODE --> 

access-list 161 permit tcp 10.61.0.0 0.0.255.255 any eq www
access-list 161 permit tcp 10.61.0.0 0.0.255.255 any eq 443

route-map webvlan61 permit 161
 match ip address 161
 set ip next-hop 10.11.0.19

interface Vlan61
 ip address 10.61.32.88 255.255.0.0
 ip helper-address 10.11.0.7
 ip helper-address 10.11.0.8
 ip policy route-map webvlan61

10.11.0.19 is the address of our Netbox Blue proxy/filter.

When anyone on VLAN61 (WiFi) attempts to access the web on 80/443 the traffic is redirected to 10.11.0.19 (set up as transparent proxy). In our case, Netbox then presents a logon page for AD authentication which is required before proceeding (this allows Netbox to filter and track what the user does).
Robbie0923 (TechnicalUser)
2 Aug 12 11:16
Distubedone- Thank you very much. That did it. Don't have much Cisco programming experience. Currently studying up on that now. There's a lot to learn. Thanks again.
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco: Routers

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close