Solved

Transparent web proxy with Cisco PIX firewall

Posted on 2001-06-11
7
2,185 Views
Last Modified: 2010-05-18
Does anyone know how to transparently force http traffic from some hosts (subnet 10.3.0.0/16) on one interface of a Cisco PIX firewall through a proxy server?

The PIX is PIX-515 hardware with 6 interfaces and failover running software 4.4.
0
Comment
Question by:CF_Spike
  • 3
  • 3
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6179322
As far as I know the PIX does not support per protocol forwarding rules.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 6179344
First question: is your Proxy server on one of your DMZ's, or on the internal LAN? If it is on the internal LAN, then no, you cannot re-direct traffic back out the interface that it came in on.
If the Proxy is on one of the DMZ's, then you are trying to redirect an inside source IP address out through a DMZ port, but only for web traffic.
I would upgrade to 5.3 or higher and setup access lists that would deny all traffic with source of 10.3.0.0, destination any, port 80 and apply it to the Internet interface, out. Then build a similar access list to allow traffic with source of 10.3.0.0, destination any, port 80 and allow it out the DMZ port where the proxy lives.
The problem with this scenario is that the firewall would also have to make routing decisions based on source/destination/port and forward out the appropriate interface. A PIX cannot do this. A router routes and a firewall enforces rules - period.

What you could do is have your Proxy on one of the DMZ's, and force all users through it for web traffic. For this to be enforced on the PIX, you simply deny all traffic destined for port 80 out the outside interface, unless the source is the Proxy server's IP address. You could also allow your other users not on the 10.3.0.0 subnet to go directly through the PIX with the same access-list.

Another option would be to use something like WebSense in combination with your PIX to give you more granular control of user surfing.
http://www.websense.com/index2.cfm

Hope I didn't ramble too much...

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179404
Thanks for some good pointers ...

In answer to the first question, the Proxy server can be anywhere I want. I will put in a dedicated proxy for this one application.

The 10.3.0.0 network is not actually inside, it's a low-security zone for dialup customers. The only lower security zone is outside (internet). I suppose it's possible to put the proxy server outside the firewall? (I can live with the small risk of one Linux machine outside the firewall for the fairly short time that this solution is needed)

Is it necessary to upgrade to 5.3 to use access lists as mentioned or just recommended?

Unless the PIX is specifically aware that http packets should have the next-hop set to the proxy server, how is the proxy server going to know which packets it should receive?

Just one other point which I didn't quite understand: you mentioned one possible solution but then said "A PIX cannot do this" ... so I guess that option is definitely out then? You also seem to have restated the same solution in the next paragraph too, so is there no hope of getting PIX to do this on its own?

I've got an evaluation version of websense ready to try too if none of this works. Either that or replace this zone on the PIX with a Linux NAT box.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 6179420
I may have rambled a bit there, trying to setup something that would work, then realizing it is a router solution, not a  PIX solution.
Upgrade to 5.3 is highly recommended. You don't have to use the conduits, just access-lists. 6.0 will give you a web interface that is supposed to be really nice.

The Client sets the proxy-server IP address, so as long as that IP is available to the proxy clients via conduits or access-lists, whether on the outside or in a DMZ, then the client forwards all web traffic to that proxy IP address. The PIX then would not have to make the routing decisions.

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179480
The problem is that there are around 4000 users dialing in and being assigned addresses on that subnet so changing their browser configuration is not really an option. I do need to force a proxy somehow.

So I guess that the final answer is that PIX cannot do this alone.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6179486
I would say that is a true statement. You could put a router on the DMZ between your dial-in access point and the PIX to make those routing decisions.. What do the users actually dial into that supports that many? Are you comfortable that the 515 has enough horsepower to handle that many simultaneous connections?

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179529
4000 is the amount of total users, there's rarely more that 50 at one time.

I think that the easiest, quickest and cheapest solution is to put a Linux box to do NAT for that subnet and run squid web proxy on the internal interface. As I mentioned before, this is only needed temporarily.

Thanks for the help though.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NSD FAIL 2 299
How do I modify Ubigate for new ISP? 2 102
MAC address learning of Riverbed 4 65
Port not opening complex Huwaei Router - Sonicwall - Airport extreme 32 58
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question