Cisco 871 froward to proxy server

I am trying to configure a Cisco 871 router to forward all internal web traffic to a proxy server located in our head office. The routers make a VPN connection the head office.
I have read about port forwarding external traffic through the firewall to a specific IP internally. If this is the solution I can’t seem to figure out the config lines.

Below is a copy of a config I have been working on. It makes a VPN tunnel and DHCP relaying is working. There is an attempt to forward the proxy server ( ip policy route-map proxy-redirect) but it does not work. When I watch the traffic and log files on the proxy there is no traffic from the remote site.


Current configuration : 6289 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$hvVt$QzYXaZE8z6tTR.o/X2Wbz.
!
Username user1 privilege 15 secret 5 password1
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name domain.com
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn Cisco_ASA_VPN
 connect auto
 group DefaultRAGroup key 0k2l0g1n
 mode network-extension
 peer peerip
 username vpnusername password  vnnpassword
 xauth userid mode local
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ETH-LAN$$FW_OUTSIDE$
 ip address WANIP WANMASK
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto ipsec client ezvpn Cisco_ASA_VPN
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address InternalIP InternalMask
 ip access-group 100 in
 ip helper-address DHCPServerIP
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 ip policy route-map proxy-redirect
 crypto ipsec client ezvpn Cisco_ASA_VPN inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 DefaultGatewayIP
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit InternalNetwork 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit InternalNetwork 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip ExterNetworkIP 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip InternalNetwork 0.0.0.255 any
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) Cisco_ASA_VPN
access-list 101 permit udp host peerIP any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) Cisco_ASA_VPN
access-list 101 permit udp host peerIP  any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) Cisco_ASA_VPN
access-list 101 permit udp host peerIP any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) Cisco_ASA_VPN
access-list 101 permit esp host peerIP any
access-list 101 remark Auto generated by SDM for EzVPN (esp) Cisco_ASA_VPN
access-list 101 permit ahp host peerIP any
access-list 101 permit icmp any host WANIP echo-reply
access-list 101 permit icmp any host WANIP time-exceeded
access-list 101 permit icmp any host WANIP unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip InternealNetwork 0.0.0.255 any
access-list 102 deny   ip any any
access-list 110 deny   tcp any any neq www
access-list 110 deny   tcp host proxyIP any
access-list 110 permit tcp any any
no cdp run
route-map proxy-redirect permit 10
 match ip address 110
 set ip next-hop proxyIP
!
!
control-plane
!
banner login ^CCCCCCCCC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login authentication local_authen
 transport preferred all
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

BudgetDevonAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Nayyar HH (CCIE RS)Connect With a Mentor Network ArchitectCommented:

Note that a router would normally use the Routing Information Base to forward or route packets based on the destination IP Address. Policy routing is used to "override" this normal forwading behavior based on a set of user defined conditions.
In your scenriao, If web packets from Clients are destined for Proxy (i.e. have Proxy servers IP address as destination address) the should normally end-up at the proxy servser without any additional configration assuming browser have been configured to use your corporate proxy ip address assuming ipsec vpn tunnels and routing is in place.

Port fowarding isnt a solution for your particular scenario.

First remove policy routing configuration applied and a few things to check and put in place if not:

- Web browser on Client machines need to be configured with Proxy servers IP Address. Is this Private or Public range?
- At RO and HO, crypto maps on VPN routers should encrypt and decrypt Client-to-Proxy/Proxy-to-Clent traffic (NOTE: Avoid using "Any")
- At HO, Proxy-to-Internet traffic should bypass crypto maps.
- An observation, you have applied crypto maps to inside and outside interfaces. Usually this is on the outside interface.
0
 
OzNetNerdCommented:
0
All Courses

From novice to tech pro — start learning today.