Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Redirect Internal users to transparent proxy

Status
Not open for further replies.

justin12345

Technical User
Jul 21, 2008
10
US
I have a Cisco 2811 that is NAT/PAT'ing traffic for 200 internal users on a single subnet - 192.168.1.0/24.

This subnet connects to F0/0. My main WAN link goes into F0/1. I also have a backup WAN link that utilizes PPPoA dialer (Dialer1).

There is also currently a single server at 192.168.1.245 that I connect into remotely for reporting and such.

I'm adding a new server that will be a transparent web proxy for all port 80 traffic. It will sit inside the LAN, but the router should still do the NAT/PAT. I'm planning to make it's IP 192.168.1.240.

How can I add an ACL to match port 80 traffic and "route" it to this server instead? What would I need to change with the existing route-maps to make this work?

Here are the relevant parts of the config, some of which is not used and could be cleaned up.

ip local policy route-map backondialer1
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.245 9996
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map Integra interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.245 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.245 80 interface Dialer1 80
ip nat inside source route-map NATdailer0 interface Dialer0 overload
ip nat inside source route-map NATdailer1 interface Dialer1 overload
ip nat inside source route-map NATdailer2 interface Dialer2 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 160 permit ip host 192.168.1.245 any
access-list 170 permit tcp host 5.5.5.1 any
access-list 171 permit tcp host 5.5.5.2 any
access-list 172 permit tcp host 5.5.5.3 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit

route-map backondialer1 permit 10
match ip address 170
set ip next-hop 5.6.7.8
!
route-map backondialer0 permit 10
match ip address 171
set ip next-hop 5.6.7.9
!
route-map backondialer2 permit 10
match ip address 172
set ip next-hop 5.6.7.10
!
route-map Integra permit 10
match ip address 1
match interface FastEthernet0/1
!
route-map webserver permit 10
match ip address 160
set ip next-hop 5.6.7.8
!
route-map NATdailer0 permit 10
match ip address 1
match interface Dialer0
!
route-map NATdailer1 permit 10
match ip address 1
match interface Dialer1
!
route-map NATdailer2 permit 10
match ip address 1
match interface Dialer2

Any ideas or help is much appreciated.

Cheers,

Justin
 
In case someone runs across this thread, I thought I'd post the solution I ended up finding. The following config worked for me:

! Enable policy routing
interface Ethernet0
ip policy route-map proxy-redirect
! Route to proxy server
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop 192.168.1.240
! Only policy route client access-list 110 deny tcp any any neq 80
access-list 110 deny tcp host 192.168.1.240 any
access-list 110 permit tcp any any

I'm not totally sure why it works, but there you have it.

Cheers,

Justin
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top