Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Transparent web proxy with Cisco PIX firewall

Posted on 2001-06-11
7
Medium Priority
?
2,200 Views
Last Modified: 2010-05-18
Does anyone know how to transparently force http traffic from some hosts (subnet 10.3.0.0/16) on one interface of a Cisco PIX firewall through a proxy server?

The PIX is PIX-515 hardware with 6 interfaces and failover running software 4.4.
0
Comment
Question by:CF_Spike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6179322
As far as I know the PIX does not support per protocol forwarding rules.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 600 total points
ID: 6179344
First question: is your Proxy server on one of your DMZ's, or on the internal LAN? If it is on the internal LAN, then no, you cannot re-direct traffic back out the interface that it came in on.
If the Proxy is on one of the DMZ's, then you are trying to redirect an inside source IP address out through a DMZ port, but only for web traffic.
I would upgrade to 5.3 or higher and setup access lists that would deny all traffic with source of 10.3.0.0, destination any, port 80 and apply it to the Internet interface, out. Then build a similar access list to allow traffic with source of 10.3.0.0, destination any, port 80 and allow it out the DMZ port where the proxy lives.
The problem with this scenario is that the firewall would also have to make routing decisions based on source/destination/port and forward out the appropriate interface. A PIX cannot do this. A router routes and a firewall enforces rules - period.

What you could do is have your Proxy on one of the DMZ's, and force all users through it for web traffic. For this to be enforced on the PIX, you simply deny all traffic destined for port 80 out the outside interface, unless the source is the Proxy server's IP address. You could also allow your other users not on the 10.3.0.0 subnet to go directly through the PIX with the same access-list.

Another option would be to use something like WebSense in combination with your PIX to give you more granular control of user surfing.
http://www.websense.com/index2.cfm

Hope I didn't ramble too much...

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179404
Thanks for some good pointers ...

In answer to the first question, the Proxy server can be anywhere I want. I will put in a dedicated proxy for this one application.

The 10.3.0.0 network is not actually inside, it's a low-security zone for dialup customers. The only lower security zone is outside (internet). I suppose it's possible to put the proxy server outside the firewall? (I can live with the small risk of one Linux machine outside the firewall for the fairly short time that this solution is needed)

Is it necessary to upgrade to 5.3 to use access lists as mentioned or just recommended?

Unless the PIX is specifically aware that http packets should have the next-hop set to the proxy server, how is the proxy server going to know which packets it should receive?

Just one other point which I didn't quite understand: you mentioned one possible solution but then said "A PIX cannot do this" ... so I guess that option is definitely out then? You also seem to have restated the same solution in the next paragraph too, so is there no hope of getting PIX to do this on its own?

I've got an evaluation version of websense ready to try too if none of this works. Either that or replace this zone on the PIX with a Linux NAT box.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 6179420
I may have rambled a bit there, trying to setup something that would work, then realizing it is a router solution, not a  PIX solution.
Upgrade to 5.3 is highly recommended. You don't have to use the conduits, just access-lists. 6.0 will give you a web interface that is supposed to be really nice.

The Client sets the proxy-server IP address, so as long as that IP is available to the proxy clients via conduits or access-lists, whether on the outside or in a DMZ, then the client forwards all web traffic to that proxy IP address. The PIX then would not have to make the routing decisions.

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179480
The problem is that there are around 4000 users dialing in and being assigned addresses on that subnet so changing their browser configuration is not really an option. I do need to force a proxy somehow.

So I guess that the final answer is that PIX cannot do this alone.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6179486
I would say that is a true statement. You could put a router on the DMZ between your dial-in access point and the PIX to make those routing decisions.. What do the users actually dial into that supports that many? Are you comfortable that the 515 has enough horsepower to handle that many simultaneous connections?

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179529
4000 is the amount of total users, there's rarely more that 50 at one time.

I think that the easiest, quickest and cheapest solution is to put a Linux box to do NAT for that subnet and run squid web proxy on the internal interface. As I mentioned before, this is only needed temporarily.

Thanks for the help though.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question