Solved

Router to external proxy?

Posted on 2006-10-28
10
669 Views
Last Modified: 2013-11-30
I want to set up a router at a sales office, block all traffic except for ports 80 & 443 and have all port 80/443 run through an external (off-site) proxy.

Are there any routers that can block all ports except 80 & 443 and then send all of that traffic to an off-site proxy?

0
Comment
Question by:JimHubbard
10 Comments
 
LVL 10

Accepted Solution

by:
Joesmail earned 250 total points
ID: 17825067
Any Cisco IOS firewall can do this.

Cisco 800 series is the model to use if the link is under 10MB and you don't have more than 50-75 users.  Alternatively the 1800 is a better option.

You would use a "route-map" to do this.  I have had to do this plenty of times when moving hundreds of connections slowly over to a new firewall or router at a clients organisation.

e.g.
!
access-list 110 permit tcp 192.168.0.0 0.0.1.255 any eq 80
access-list 110 permit tcp 192.168.0.0 0.0.1.255 any eq 443

route-map YOUR-COMPANY-route-map permit 10
 match ip address 110
 set ip next-hop 10.10.200.201

How this works:

All the traffic from the 192.168.0.0/23 subnet that hits this router gets evaluated using the access-list 110.  If its not "80" or "443" then it goes to another router (off-site proxy - 10.10.200.201).


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 17825514
WCCP does this, but only if the external proxy supports it.
http://www.cisco.com/en/US/tech/tk122/tk717/tsd_technology_support_protocol_home.html

Just to add to Joesmail's post above -
 If the ip next-hop is not directly connected (and I assume that your external proxy won't be), then you also have to have an explict route to that IP address. Most upstream routers won't allow this type specified routing. I've never seen this used to specify a proxy as the next hop gateway. . . If it works, that's thinking outside the box and hats off to Joe..
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17827337
Totally agree with Irmoore,

A very good point to make.   The upstream proxy would have to allow you to route to it directly.  If this upstream proxy is external (at a third party ISP) this might/probably wont work unless you have a direct route to it.




0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 10

Expert Comment

by:Joesmail
ID: 17827359
Even if the off-site proxy is not adjacent you can try to use "ip next-hop recursive".  Quote "If the recursive next-hop IP address is not available, packets are routed using a default route. "
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/h_12spbr.htm

Of course the packet cannot be modified in anyway on route to it destination.
0
 

Author Comment

by:JimHubbard
ID: 17827923
Is there a less expensive router that can be used to accomplish this?

The goal is to give internet access to the remote location but to filter out porn and stuff using our home office proxy/filter.  There is only a Netgear wireless router there at this time (not even a PC) for the agents to use with their laptops.

The laptops (max surfers probably 30 - if sponsoring a meeting) are the property of the agents - so we don't want to require that they place filtering software on them (and we couldn't enforce that anyway on their personal equipment).  And, placing a PC in each location to do filtering could run upwards of $1000 - with a high probability of theft or tinkering.

I really thought that there might be a less expensive solution (like a simple, inexpensive wireless router that could route all traffic directly to our proxy) to allow us to just make sure that nothing was being surfed that may offend potential clients.  Yes - we've had it happen before.  And, although we can fire the agents involved - that doesn't mean we can still close the client.

0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17828159
If you give them access to your filter can't you just change their proxy address in their browsers or their local pc's using proxycfg?

proxycfg -d -p myProxyServer:80 "<local>"
http://support.microsoft.com/kb/289481
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17828175
At least when you configure a proxy address (FIRST OPTION above) you can block all http and https traffic going out of the current wireless device and only allow the proxy port and server you have configured at your head office.

If you still want an inexpensive wireless router you might consider purchasing a Wireless VPN router.  Set it up so they are just another subnet of your main office and all traffic has to go through your main office.  This will require one at the main office as well.
e.g.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1118334818934&pagename=Linksys%2FCommon%2FVisitorWrapper

remote office--------->Linksys------------------------------>yourMainOffice-FITLER----------------------------------->internet
                         VPN ONLY TO HEAD OFFICE.

This option is still more work than the first.

0
 
LVL 40

Expert Comment

by:omarfarid
ID: 19155874
Hi,

If your customer can do the following:

1- Separate the intranet (office) from the Internet.

2- Put a server connected to both networks (Windows or linux)

3- Run on the dual-homed server a proxy server S/W (e.g. Windows Proxy or any freeware like apache)

4- Now, on the proxy server you can put access lists, etc. to block sites, or you may buy commercial filtering S/W. Or, if your ISP has a proxy service, you may configure the proxy server to point to it.

5- All the PCs on the intranet (office) can configure their browsers to use the proxy server on the dual-homed server.

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home network with two AP's dropping WiFi connectivity 12 69
VPN Connection WIndows 10 5 62
Manage ASA using outside IP 14 62
Network setup between buildings 4 25
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question