transparent proxy

Dears gents
How I can do transparent proxy as the attached diagram?
I tried to do mapping in the local router but it not success
Please find the attaché diagram and local router configuration

Regards

Router#show running-config
Building configuration...

Current configuration : 1264 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging monitor
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Tunnel110
 description KBI tunnel
 ip address 192.168.200.2 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 80.??.??.?
!
interface Ethernet0/0
 description WAN
 ip address 79.170.?.?? 255.255.255.248
 ip nat outside
 half-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 description LAN
 ip address 192.168.250.1 255.255.255.0
 ip nat inside
 ip route-cache flow
 ip policy route-map HTTP
 half-duplex
!
router rip
 network 192.168.200.0
 network 192.168.250.0
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 192.168.250.1 192.168.250.2
ip classless
ip route 0.0.0.0 0.0.0.0 79.170.?.??
ip route 62.??.??.?? 255.255.255.255 192.168.200.1
no ip http server
!
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 8080
route-map HTTP permit 10
 match ip address 110
 set ip next-hop 62.68.64.10
!
route-map HTTP permit 20
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

Open in new window

Proxy2.jpg
4ntelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brain2000Commented:
Let's take a crack at this.  First, change the tunnel addresses so they don't conflict with your internal IP addresses:

(on the datacenter proxy router)
Interface Tunnel10
  ip address 10.0.0.1 255.255.255.252

On the router at the other end of the tunnel, you'll need the other tunnel IP address

(at the remote site where the tunnel is hooked to)
Interface Tunnel10
 ip address 10.0.0.2 255.255.255.252

Now make sure you can ping 10.0.0.1 from the datacenter router, and vice versa.  If you can't, check the tunnel source/destination that they are valid.

Now, you are going to have to add another subnet to your 192.168.250.x/24 subnet.  For example, you can have 192.168.250.x/23 at the computers located at the remote site, and 192.168.251.x/23 at the computers located at the datacenter.  However, the router will need to have the subnets set at /24.  That way the router will know how and when to route them, yet the computers at both sides can communicate as if they were in the same subnet.


Make sure proxy-arp is enabled at the datacenter and add a static route to the remote 192.168.251.x network.

Interface Ethernet1/0
 ip proxy-arp
ip route 192.168.251.0 255.255.255.0 10.0.0.2


At the remote router, set the IP address on it's LAN to the following:

Interface Ethernet1/0 (assuming this is the LAN interface on that router)
 ip address 192.168.251.1 255.255.255.0
 ip proxy-arp
ip route 192.168.250.0 255.255.255.0 10.0.0.1


Make sure you can ping both 192.168.251.1 and 192.168.250.1 from either router.  This traffic should be traveling through the tunnel.


Set up computers at the datacenter with 192.168.250.x 255.255.254.0 and the computers at the remote location with 192.168.251.x 255.255.254.0.


If all went well up to this point, the computers from both labs should be able to ping each other as if they were on the same subnet.  


Also, you can probably remove this line, unless you still need it for some reason.

 ip nat inside source static 192.168.250.1 192.168.250.2
0
Brain2000Commented:
I was thinking about this question.  Are you sure you even want a transparent proxy?  Or are you thinking more of a layer 2 switch being forwarded over the internet to the other lab?  If so, L2TPv3 will give you what you want.  Keep in mind that everything layer2 with MAC addresses goes though it including local LAN broadcast traffic.
0
rustamonlineCommented:
You can route all your traffic over Datacenter(DC) router by doing VPN to DC. In this case you do not need transparent proxy.
However if you really need to pass your data traffic over DC's server, run VPN service and proxy service on the DC's server. And connect to the server with VPN and route all traffic over that VPN connection. Your proxy service can handle your web traffic transparently. Squid can do it for you.

Regards,
Rustamjon.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

4ntelAuthor Commented:
Brain2000:

L2TPv3 will forward all traffic to the DC this will make high delay I need to forward only http traffic to proxy and all another out of the tunnel
0
4ntelAuthor Commented:
rustamonline:

VPN will make high delay
0
Brain2000Commented:
If you just want a transparent proxy, my first post shows that.  But based on what you are saying, I still don't think you want a transparent proxy because you said that you need to forward "http traffic" to the transparent proxy.  Let me explain further:

First, a transparent proxy is never forwarded to.  It is "transparent", and therefore plucks traffic off your lan and automatically forwards it.  It basically is "extending" your LAN, transparently.

Second, The proxy can only forward traffic based on layer 3, not layer 4 settings.  Meaning, it cannot transparently proxy for only a specific TCP port.  It only forwards based on IP addresses.

It sounds to me like you want a router that will send http traffic straight to the internet, and all other traffic over a tunnel.  Is that correct?  If so, that's not called a transparent proxy.  That's just a router.
0
rustamonlineCommented:
Current configuration does not allow you routing based on layer 4.
0
Brain2000Commented:
At this point, if you would, clarify exactly what you are trying to do so I can provide a config change to match.

I have a gut feeling that we'll set up policy-based routing in order to handle what you are looking for.  Please let me know what you are trying to set up?
0
4ntelAuthor Commented:

Dear Brain2000:
I want to send only  http traffic to the proxy ,and  all other traffic  straight to the internet

0
Brain2000Commented:
I think I'm getting it now. That's not s transparent proxy. That's an http proxy server.

You need policy based routing on the router. It will allow all to flow through except port 80, which will go to the http proxy instead. I need to know a couple things to make you some config changes. One, how is the http proxy hooked to the internet? Does it also go through the router or do you have a second line? Also, I need the IP address of the http proxy.
0
4ntelAuthor Commented:
yas it's connect hooked to the internet through the router
the proxy ip 62.68.64.10
0
Brain2000Commented:
Sorry for the delay.  I've been out for a couple of days.

Assume the ethernet interface is fa0/0.  We'll route both HTTP and HTTPS traffic through the proxy server.  Also, your router must have an IP address on the same subnet as the http proxy.  For example, 62.68.64.1/24.


interface fa0/0
  ip policy route-map PROXY
!
ip access-list extended OUTBOUND_HTTP
  remark *** THE PROXY ITSELF MUST BE ABLE TO PASS 80/443 THROUGH ***
  deny tcp host 62.68.64.10 any
  remark *** BUT ALL OTHER SYSTEMS MUST BE CAUGHT TO REDIRECT TO THE PROXY ***
  permit tcp any any eq 80
  permit tcp any any eq 443
!
route-map PROXY permit 10
  match ip address OUTBOUND_HTTP
  set ip next-hop 62.68.64.10
!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
4ntelAuthor Commented:
thanks for your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.