Transparent web proxy with Cisco PIX firewall

Posted on 2001-06-11
Last Modified: 2010-05-18
Does anyone know how to transparently force http traffic from some hosts (subnet on one interface of a Cisco PIX firewall through a proxy server?

The PIX is PIX-515 hardware with 6 interfaces and failover running software 4.4.
Question by:CF_Spike
  • 3
  • 3
LVL 11

Expert Comment

ID: 6179322
As far as I know the PIX does not support per protocol forwarding rules.
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 6179344
First question: is your Proxy server on one of your DMZ's, or on the internal LAN? If it is on the internal LAN, then no, you cannot re-direct traffic back out the interface that it came in on.
If the Proxy is on one of the DMZ's, then you are trying to redirect an inside source IP address out through a DMZ port, but only for web traffic.
I would upgrade to 5.3 or higher and setup access lists that would deny all traffic with source of, destination any, port 80 and apply it to the Internet interface, out. Then build a similar access list to allow traffic with source of, destination any, port 80 and allow it out the DMZ port where the proxy lives.
The problem with this scenario is that the firewall would also have to make routing decisions based on source/destination/port and forward out the appropriate interface. A PIX cannot do this. A router routes and a firewall enforces rules - period.

What you could do is have your Proxy on one of the DMZ's, and force all users through it for web traffic. For this to be enforced on the PIX, you simply deny all traffic destined for port 80 out the outside interface, unless the source is the Proxy server's IP address. You could also allow your other users not on the subnet to go directly through the PIX with the same access-list.

Another option would be to use something like WebSense in combination with your PIX to give you more granular control of user surfing.

Hope I didn't ramble too much...


Author Comment

ID: 6179404
Thanks for some good pointers ...

In answer to the first question, the Proxy server can be anywhere I want. I will put in a dedicated proxy for this one application.

The network is not actually inside, it's a low-security zone for dialup customers. The only lower security zone is outside (internet). I suppose it's possible to put the proxy server outside the firewall? (I can live with the small risk of one Linux machine outside the firewall for the fairly short time that this solution is needed)

Is it necessary to upgrade to 5.3 to use access lists as mentioned or just recommended?

Unless the PIX is specifically aware that http packets should have the next-hop set to the proxy server, how is the proxy server going to know which packets it should receive?

Just one other point which I didn't quite understand: you mentioned one possible solution but then said "A PIX cannot do this" ... so I guess that option is definitely out then? You also seem to have restated the same solution in the next paragraph too, so is there no hope of getting PIX to do this on its own?

I've got an evaluation version of websense ready to try too if none of this works. Either that or replace this zone on the PIX with a Linux NAT box.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 79

Expert Comment

ID: 6179420
I may have rambled a bit there, trying to setup something that would work, then realizing it is a router solution, not a  PIX solution.
Upgrade to 5.3 is highly recommended. You don't have to use the conduits, just access-lists. 6.0 will give you a web interface that is supposed to be really nice.

The Client sets the proxy-server IP address, so as long as that IP is available to the proxy clients via conduits or access-lists, whether on the outside or in a DMZ, then the client forwards all web traffic to that proxy IP address. The PIX then would not have to make the routing decisions.


Author Comment

ID: 6179480
The problem is that there are around 4000 users dialing in and being assigned addresses on that subnet so changing their browser configuration is not really an option. I do need to force a proxy somehow.

So I guess that the final answer is that PIX cannot do this alone.
LVL 79

Expert Comment

ID: 6179486
I would say that is a true statement. You could put a router on the DMZ between your dial-in access point and the PIX to make those routing decisions.. What do the users actually dial into that supports that many? Are you comfortable that the 515 has enough horsepower to handle that many simultaneous connections?


Author Comment

ID: 6179529
4000 is the amount of total users, there's rarely more that 50 at one time.

I think that the easiest, quickest and cheapest solution is to put a Linux box to do NAT for that subnet and run squid web proxy on the internal interface. As I mentioned before, this is only needed temporarily.

Thanks for the help though.

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco ubr7200 problem with  interface Wideband-Cable 1 43
Sonicwall TZ 205- Dropping Incoming E-mail as IP Spoof 13 161
How to make my old USB printer wireless? 71 191
New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now