justin12345
Technical User
I have a Cisco 2811 that is NAT/PAT'ing traffic for 200 internal users on a single subnet - 192.168.1.0/24.
This subnet connects to F0/0. My main WAN link goes into F0/1. I also have a backup WAN link that utilizes PPPoA dialer (Dialer1).
There is also currently a single server at 192.168.1.245 that I connect into remotely for reporting and such.
I'm adding a new server that will be a transparent web proxy for all port 80 traffic. It will sit inside the LAN, but the router should still do the NAT/PAT. I'm planning to make it's IP 192.168.1.240.
How can I add an ACL to match port 80 traffic and "route" it to this server instead? What would I need to change with the existing route-maps to make this work?
Here are the relevant parts of the config, some of which is not used and could be cleaned up.
ip local policy route-map backondialer1
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.245 9996
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map Integra interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.245 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.245 80 interface Dialer1 80
ip nat inside source route-map NATdailer0 interface Dialer0 overload
ip nat inside source route-map NATdailer1 interface Dialer1 overload
ip nat inside source route-map NATdailer2 interface Dialer2 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 160 permit ip host 192.168.1.245 any
access-list 170 permit tcp host 5.5.5.1 any
access-list 171 permit tcp host 5.5.5.2 any
access-list 172 permit tcp host 5.5.5.3 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map backondialer1 permit 10
match ip address 170
set ip next-hop 5.6.7.8
!
route-map backondialer0 permit 10
match ip address 171
set ip next-hop 5.6.7.9
!
route-map backondialer2 permit 10
match ip address 172
set ip next-hop 5.6.7.10
!
route-map Integra permit 10
match ip address 1
match interface FastEthernet0/1
!
route-map webserver permit 10
match ip address 160
set ip next-hop 5.6.7.8
!
route-map NATdailer0 permit 10
match ip address 1
match interface Dialer0
!
route-map NATdailer1 permit 10
match ip address 1
match interface Dialer1
!
route-map NATdailer2 permit 10
match ip address 1
match interface Dialer2
Any ideas or help is much appreciated.
Cheers,
Justin
This subnet connects to F0/0. My main WAN link goes into F0/1. I also have a backup WAN link that utilizes PPPoA dialer (Dialer1).
There is also currently a single server at 192.168.1.245 that I connect into remotely for reporting and such.
I'm adding a new server that will be a transparent web proxy for all port 80 traffic. It will sit inside the LAN, but the router should still do the NAT/PAT. I'm planning to make it's IP 192.168.1.240.
How can I add an ACL to match port 80 traffic and "route" it to this server instead? What would I need to change with the existing route-maps to make this work?
Here are the relevant parts of the config, some of which is not used and could be cleaned up.
ip local policy route-map backondialer1
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.245 9996
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map Integra interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.245 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.245 80 interface Dialer1 80
ip nat inside source route-map NATdailer0 interface Dialer0 overload
ip nat inside source route-map NATdailer1 interface Dialer1 overload
ip nat inside source route-map NATdailer2 interface Dialer2 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 160 permit ip host 192.168.1.245 any
access-list 170 permit tcp host 5.5.5.1 any
access-list 171 permit tcp host 5.5.5.2 any
access-list 172 permit tcp host 5.5.5.3 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map backondialer1 permit 10
match ip address 170
set ip next-hop 5.6.7.8
!
route-map backondialer0 permit 10
match ip address 171
set ip next-hop 5.6.7.9
!
route-map backondialer2 permit 10
match ip address 172
set ip next-hop 5.6.7.10
!
route-map Integra permit 10
match ip address 1
match interface FastEthernet0/1
!
route-map webserver permit 10
match ip address 160
set ip next-hop 5.6.7.8
!
route-map NATdailer0 permit 10
match ip address 1
match interface Dialer0
!
route-map NATdailer1 permit 10
match ip address 1
match interface Dialer1
!
route-map NATdailer2 permit 10
match ip address 1
match interface Dialer2
Any ideas or help is much appreciated.
Cheers,
Justin