Routing port 80 & 443 to web filter

[Robbie0923]

I have recently been given the task of installing a web filter on our network to monitor and eventually filter some of the web browsing done in my network. I have a Cisco 2911 router and a Sophos Web Filter appliance. I have the web appliance installed and it looks like I have some traffic being monitored, but not all. The configuration of my router is as follows:

interface GigabitEthernet0/0
description Beorne
ip address 10.2.16.5 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description BHN_OUTSIDE
ip address 97.78.226.35 255.255.255.224
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 172.16.22.1 255.255.255.224
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description AdmNet_Trunk
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description IT_AdmNet
switchport access vlan 4
switchport mode trunk
no ip address
!
interface Vlan1
description Vlan1_AdmNet
ip address 10.2.9.1 255.255.252.0
ip helper-address 10.2.9.14
ip helper-address 172.16.22.2
ip helper-address 10.2.9.12
ip helper-address 10.2.9.13
ip helper-address 10.2.9.15
ip helper-address 10.2.13.2
ip helper-address 97.78.226.33
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Vlan4_IT_AdmNet
ip address 10.2.13.1 255.255.252.0
ip helper-address 10.2.9.14
ip helper-address 97.78.226.33
ip helper-address 172.16.22.2
ip helper-address 10.2.9.12
ip helper-address 10.2.9.13
ip helper-address 10.2.9.15
ip helper-address 10.2.13.2
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 172.16.22.0 0.0.0.255
redistribute connected
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat pool NATADDR 97.78.226.35 97.78.226.35 netmask 255.255.255.224
ip nat inside source list 122 pool NATADDR overload
ip nat inside source route-map NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.2.9.12 25 97.78.226.34 25 extendable
ip nat inside source static tcp 10.2.9.12 80 97.78.226.34 80 extendable
ip nat inside source static tcp 10.2.9.12 443 97.78.226.34 443 extendable
ip route 0.0.0.0 0.0.0.0 97.78.226.33
!
ip access-list extended SJR_Inside
permit ip 10.2.8.0 0.0.3.255 10.2.0.0 0.0.3.255
permit ip 10.2.8.0 0.0.3.255 10.2.12.0 0.0.3.255
permit ip 10.2.8.0 0.0.3.255 10.2.4.0 0.0.3.255
!
access-list 122 permit ip host 10.2.9.12 any
access-list 122 deny tcp any any eq smtp
access-list 122 deny tcp any any eq 137
access-list 122 deny tcp any any eq 135
access-list 122 permit ip 10.2.0.0 0.0.3.255 any
access-list 122 permit ip 10.2.4.0 0.0.3.255 any
access-list 122 permit ip 10.2.8.0 0.0.3.255 any
access-list 122 permit ip 10.2.12.0 0.0.3.255 any
access-list 122 permit ip 10.2.1.0 0.0.0.255 any
access-list 122 permit ip 10.4.1.0 0.0.0.255 any
access-list 150 permit ip any any
!
route-map NAT permit 10
match policy-list 150
!

This was configured prior to my coming into the job. Have a wireless back haul and two other networks that are going through BHN_Outside port for the internet. Am trying to get all port 80 and 443 traffic routed through the web filter that is setup on the network.

Any help is welcomed.

 

[Robbie0923]

Web filter is setup on network as IP 10.2.9.10 SNM 255.255.240.0 Gate 10.2.9.1 DNS 10.2.9.14. Appliance is connected to switch that holds all traffic in the building.

 

[disturbedone]

This is what I needed to do to get this to work. We have a Catalyst 4507 at our core and it has the following config:

access-list 161 permit tcp 10.61.0.0 0.0.255.255 any eq www
access-list 161 permit tcp 10.61.0.0 0.0.255.255 any eq 443

route-map webvlan61 permit 161
 match ip address 161
 set ip next-hop 10.11.0.19

interface Vlan61
 ip address 10.61.32.88 255.255.0.0
 ip helper-address 10.11.0.7
 ip helper-address 10.11.0.8
 ip policy route-map webvlan61

10.11.0.19 is the address of our Netbox Blue proxy/filter.

When anyone on VLAN61 (WiFi) attempts to access the web on 80/443 the traffic is redirected to 10.11.0.19 (set up as transparent proxy). In our case, Netbox then presents a logon page for AD authentication which is required before proceeding (this allows Netbox to filter and track what the user does).

 

[Robbie0923]

Distubedone- Thank you very much. That did it. Don't have much Cisco programming experience. Currently studying up on that now. There's a lot to learn. Thanks again.