Transparent web proxy with Cisco PIX firewall

Does anyone know how to transparently force http traffic from some hosts (subnet on one interface of a Cisco PIX firewall through a proxy server?

The PIX is PIX-515 hardware with 6 interfaces and failover running software 4.4.
Who is Participating?
First question: is your Proxy server on one of your DMZ's, or on the internal LAN? If it is on the internal LAN, then no, you cannot re-direct traffic back out the interface that it came in on.
If the Proxy is on one of the DMZ's, then you are trying to redirect an inside source IP address out through a DMZ port, but only for web traffic.
I would upgrade to 5.3 or higher and setup access lists that would deny all traffic with source of, destination any, port 80 and apply it to the Internet interface, out. Then build a similar access list to allow traffic with source of, destination any, port 80 and allow it out the DMZ port where the proxy lives.
The problem with this scenario is that the firewall would also have to make routing decisions based on source/destination/port and forward out the appropriate interface. A PIX cannot do this. A router routes and a firewall enforces rules - period.

What you could do is have your Proxy on one of the DMZ's, and force all users through it for web traffic. For this to be enforced on the PIX, you simply deny all traffic destined for port 80 out the outside interface, unless the source is the Proxy server's IP address. You could also allow your other users not on the subnet to go directly through the PIX with the same access-list.

Another option would be to use something like WebSense in combination with your PIX to give you more granular control of user surfing.

Hope I didn't ramble too much...

As far as I know the PIX does not support per protocol forwarding rules.
CF_SpikeAuthor Commented:
Thanks for some good pointers ...

In answer to the first question, the Proxy server can be anywhere I want. I will put in a dedicated proxy for this one application.

The network is not actually inside, it's a low-security zone for dialup customers. The only lower security zone is outside (internet). I suppose it's possible to put the proxy server outside the firewall? (I can live with the small risk of one Linux machine outside the firewall for the fairly short time that this solution is needed)

Is it necessary to upgrade to 5.3 to use access lists as mentioned or just recommended?

Unless the PIX is specifically aware that http packets should have the next-hop set to the proxy server, how is the proxy server going to know which packets it should receive?

Just one other point which I didn't quite understand: you mentioned one possible solution but then said "A PIX cannot do this" ... so I guess that option is definitely out then? You also seem to have restated the same solution in the next paragraph too, so is there no hope of getting PIX to do this on its own?

I've got an evaluation version of websense ready to try too if none of this works. Either that or replace this zone on the PIX with a Linux NAT box.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I may have rambled a bit there, trying to setup something that would work, then realizing it is a router solution, not a  PIX solution.
Upgrade to 5.3 is highly recommended. You don't have to use the conduits, just access-lists. 6.0 will give you a web interface that is supposed to be really nice.

The Client sets the proxy-server IP address, so as long as that IP is available to the proxy clients via conduits or access-lists, whether on the outside or in a DMZ, then the client forwards all web traffic to that proxy IP address. The PIX then would not have to make the routing decisions.

CF_SpikeAuthor Commented:
The problem is that there are around 4000 users dialing in and being assigned addresses on that subnet so changing their browser configuration is not really an option. I do need to force a proxy somehow.

So I guess that the final answer is that PIX cannot do this alone.
I would say that is a true statement. You could put a router on the DMZ between your dial-in access point and the PIX to make those routing decisions.. What do the users actually dial into that supports that many? Are you comfortable that the 515 has enough horsepower to handle that many simultaneous connections?

CF_SpikeAuthor Commented:
4000 is the amount of total users, there's rarely more that 50 at one time.

I think that the easiest, quickest and cheapest solution is to put a Linux box to do NAT for that subnet and run squid web proxy on the internal interface. As I mentioned before, this is only needed temporarily.

Thanks for the help though.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.