Traffic Route Redirection To Web Filter 1

[trmg]

Hey All,

Currently, our last router before our Internet connection redirects all

http://WWW traffic

to our web filter. The way we do this is a simple route-map and ACL:

The ACL:
access-list 110 permit tcp 10.10.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.20.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.30.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.40.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.15.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.42.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.32.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.22.0.0 0.0.255.255 any eq www
access-list 110 permit tcp 10.12.0.0 0.0.255.255 any eq www

The route-map (applied to the data VLAN):
route-map squid permit 10
match ip address 110
set ip next-hop 10.1.1.3

The way our network is set up, any web traffic that happens to flow through this router will be redirected through the web filter. Our web and e-mail servers resides on the 10.1.x.x network which is also routed by this router.

Is there a way to configure the ACL the route-map uses so that it doesn't re-route local web traffic to our web filter? Would it be as simple as adding deny statements like below?

For a given network: access-list 110 deny tcp any 10.10.0.0 0.0.255.255 eq www
For a specific host: access-list 110 den tcp any 10.1.1.99 0.0.255.255 eq www

Or is it more complicated than that?

 

[trmg]

If there is a better way to approach this I am definitely open to ideas!

Ideally, all I want is that

http://WWW traffic

to the outside be passed through our web filter.

 

[burtsbees]

Add the keyword "established"---the outbound traffic will have the SYN bit set, matching the "established" in the acl---traffic coming back in will have the syn-ack , ack and finally fin bits set, not matching the acls. Is this what you want?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

So you want to deny all inter-vlan web based traffic to be exempted from this route-map?? if that is the case then add the following ACE as the first line of ACL 110:

access-list 110 deny tcp any 10.0.0.0 0.255.255.255 eq www

this will deny anything in the 10.x.x.x address space from being manipulated by the route-map and will instead proceed through the normal routing process

i see your route-map is called squid so I'm assuming that you are using the Squid Proxy?? If so, have you considered deploying an autoconfiguration script instead of using a route-map??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[trmg]

Well, in that case, I can simplify the ACL by doing this:

access-list 110 deny tcp any 10.0.0.0 0.255.255.255 eq www
access-list 110 permit tcp 10.0.0.0 0.255.255.255 any eq www

route-map squid permit 10
match ip address 110
set ip next-hop 10.1.1.3

Which would basically say "for

http://WWW traffic

destined to 10.x.x.x, don't apply route-map, for

http://WWW traffic

destined to all other IPs, apply route map".

Am I correct?

Yes, we're using Squid as the proxy server and SquidGuard to do our web filtering. Using the ACL and route-map was the way it was configured before I was hired (3+ years ago). I'm slowly getting around to cleaning up our switch and router configurations.

Would a proxy autoconfiguration script work with all web browsers under all OSes (IE, Firefox, Safari with Windows, OS X, and mobile (iPhone mainly) clients)?

I believe the above will do exactly what I want. Do you think going the autoconfiguration script route would be better/more efficient?

 

[trmg]

The above worked! Now, local web traffic is no longer sent through our web filter.

burtsbees - You mentioned something about adding "established" to the ACL, and you got me thinking...

It would be nice to configure the ACL so that only the initial connection is sent to the web filter so that there is less of a load on the server. Once the connection is established, the traffic is then routed normally.

Would this be possible? Is using "established" how this would be handled?

Please forgive me, I'm relatively new at access control lists!

 

[trmg]

My brain is flying a mile a minute!

Would it be as simple as something like...

access-list 110 deny tcp any 10.0.0.0 0.255.255.255 eq www
access-list 110 deny tcp 10.0.0.0 0.255.255.255 any eq

http://www established

access-list 110 permit tcp 10.0.0.0 0.255.255.255 any eq www

Translated into human thought...

1. If any host's

http://WWW traffic

is destined to 10.x.x.x, don't apply route-map.
2. If a 10.x.x.xx host's

http://WWW traffic

is destined to any host and has already established a connection, don't apply route-map.
3. If a 10.x.x.x host is establishing a new connection, apply route-map.

Or, even simpler...something like...

access-list 110 deny tcp any 10.0.0.0 0.255.255.255 eq www
access-list 110 deny tcp any any eq

http://www established

access-list 110 permit tcp any any eq www

Am I on the right track?

 

[burtsbees]

Yes, exactly. I have never had to try this, but that is the thought process.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[trmg]

After some thought, I don't think "access-list 110 deny tcp any any eq

http://www established"

will work since we're currently doing 1 to 1 NAT. The connection would be established over one IP (the outside IP assigned to the web filter), then it would immediately switch to a different IP (one assigned to the host itself). I don't think many web servers would like that.

Hmm...