Solved

Transparent web proxy with Cisco PIX firewall

Posted on 2001-06-11
7
2,182 Views
Last Modified: 2010-05-18
Does anyone know how to transparently force http traffic from some hosts (subnet 10.3.0.0/16) on one interface of a Cisco PIX firewall through a proxy server?

The PIX is PIX-515 hardware with 6 interfaces and failover running software 4.4.
0
Comment
Question by:CF_Spike
  • 3
  • 3
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6179322
As far as I know the PIX does not support per protocol forwarding rules.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 6179344
First question: is your Proxy server on one of your DMZ's, or on the internal LAN? If it is on the internal LAN, then no, you cannot re-direct traffic back out the interface that it came in on.
If the Proxy is on one of the DMZ's, then you are trying to redirect an inside source IP address out through a DMZ port, but only for web traffic.
I would upgrade to 5.3 or higher and setup access lists that would deny all traffic with source of 10.3.0.0, destination any, port 80 and apply it to the Internet interface, out. Then build a similar access list to allow traffic with source of 10.3.0.0, destination any, port 80 and allow it out the DMZ port where the proxy lives.
The problem with this scenario is that the firewall would also have to make routing decisions based on source/destination/port and forward out the appropriate interface. A PIX cannot do this. A router routes and a firewall enforces rules - period.

What you could do is have your Proxy on one of the DMZ's, and force all users through it for web traffic. For this to be enforced on the PIX, you simply deny all traffic destined for port 80 out the outside interface, unless the source is the Proxy server's IP address. You could also allow your other users not on the 10.3.0.0 subnet to go directly through the PIX with the same access-list.

Another option would be to use something like WebSense in combination with your PIX to give you more granular control of user surfing.
http://www.websense.com/index2.cfm

Hope I didn't ramble too much...

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179404
Thanks for some good pointers ...

In answer to the first question, the Proxy server can be anywhere I want. I will put in a dedicated proxy for this one application.

The 10.3.0.0 network is not actually inside, it's a low-security zone for dialup customers. The only lower security zone is outside (internet). I suppose it's possible to put the proxy server outside the firewall? (I can live with the small risk of one Linux machine outside the firewall for the fairly short time that this solution is needed)

Is it necessary to upgrade to 5.3 to use access lists as mentioned or just recommended?

Unless the PIX is specifically aware that http packets should have the next-hop set to the proxy server, how is the proxy server going to know which packets it should receive?

Just one other point which I didn't quite understand: you mentioned one possible solution but then said "A PIX cannot do this" ... so I guess that option is definitely out then? You also seem to have restated the same solution in the next paragraph too, so is there no hope of getting PIX to do this on its own?

I've got an evaluation version of websense ready to try too if none of this works. Either that or replace this zone on the PIX with a Linux NAT box.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Expert Comment

by:lrmoore
ID: 6179420
I may have rambled a bit there, trying to setup something that would work, then realizing it is a router solution, not a  PIX solution.
Upgrade to 5.3 is highly recommended. You don't have to use the conduits, just access-lists. 6.0 will give you a web interface that is supposed to be really nice.

The Client sets the proxy-server IP address, so as long as that IP is available to the proxy clients via conduits or access-lists, whether on the outside or in a DMZ, then the client forwards all web traffic to that proxy IP address. The PIX then would not have to make the routing decisions.

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179480
The problem is that there are around 4000 users dialing in and being assigned addresses on that subnet so changing their browser configuration is not really an option. I do need to force a proxy somehow.

So I guess that the final answer is that PIX cannot do this alone.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6179486
I would say that is a true statement. You could put a router on the DMZ between your dial-in access point and the PIX to make those routing decisions.. What do the users actually dial into that supports that many? Are you comfortable that the 515 has enough horsepower to handle that many simultaneous connections?

0
 
LVL 4

Author Comment

by:CF_Spike
ID: 6179529
4000 is the amount of total users, there's rarely more that 50 at one time.

I think that the easiest, quickest and cheapest solution is to put a Linux box to do NAT for that subnet and run squid web proxy on the internal interface. As I mentioned before, this is only needed temporarily.

Thanks for the help though.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now