Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.
transparent proxy
Dears gents
How I can do transparent proxy as the attached diagram?
I tried to do mapping in the local router but it not success
Please find the attaché diagram and local router configuration
Regards
How I can do transparent proxy as the attached diagram?
I tried to do mapping in the local router but it not success
Please find the attaché diagram and local router configuration
Regards
Router#show running-config
Building configuration...
Current configuration : 1264 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging monitor
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Tunnel110
description KBI tunnel
ip address 192.168.200.2 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 80.??.??.?
!
interface Ethernet0/0
description WAN
ip address 79.170.?.?? 255.255.255.248
ip nat outside
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
description LAN
ip address 192.168.250.1 255.255.255.0
ip nat inside
ip route-cache flow
ip policy route-map HTTP
half-duplex
!
router rip
network 192.168.200.0
network 192.168.250.0
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 192.168.250.1 192.168.250.2
ip classless
ip route 0.0.0.0 0.0.0.0 79.170.?.??
ip route 62.??.??.?? 255.255.255.255 192.168.200.1
no ip http server
!
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 8080
route-map HTTP permit 10
match ip address 110
set ip next-hop 62.68.64.10
!
route-map HTTP permit 20
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
I was thinking about this question. Are you sure you even want a transparent proxy? Or are you thinking more of a layer 2 switch being forwarded over the internet to the other lab? If so, L2TPv3 will give you what you want. Keep in mind that everything layer2 with MAC addresses goes though it including local LAN broadcast traffic.
You can route all your traffic over Datacenter(DC) router by doing VPN to DC. In this case you do not need transparent proxy.
However if you really need to pass your data traffic over DC's server, run VPN service and proxy service on the DC's server. And connect to the server with VPN and route all traffic over that VPN connection. Your proxy service can handle your web traffic transparently. Squid can do it for you.
Regards,
Rustamjon.
However if you really need to pass your data traffic over DC's server, run VPN service and proxy service on the DC's server. And connect to the server with VPN and route all traffic over that VPN connection. Your proxy service can handle your web traffic transparently. Squid can do it for you.
Regards,
Rustamjon.
Brain2000:
L2TPv3 will forward all traffic to the DC this will make high delay I need to forward only http traffic to proxy and all another out of the tunnel
L2TPv3 will forward all traffic to the DC this will make high delay I need to forward only http traffic to proxy and all another out of the tunnel
If you just want a transparent proxy, my first post shows that. But based on what you are saying, I still don't think you want a transparent proxy because you said that you need to forward "http traffic" to the transparent proxy. Let me explain further:
First, a transparent proxy is never forwarded to. It is "transparent", and therefore plucks traffic off your lan and automatically forwards it. It basically is "extending" your LAN, transparently.
Second, The proxy can only forward traffic based on layer 3, not layer 4 settings. Meaning, it cannot transparently proxy for only a specific TCP port. It only forwards based on IP addresses.
It sounds to me like you want a router that will send http traffic straight to the internet, and all other traffic over a tunnel. Is that correct? If so, that's not called a transparent proxy. That's just a router.
First, a transparent proxy is never forwarded to. It is "transparent", and therefore plucks traffic off your lan and automatically forwards it. It basically is "extending" your LAN, transparently.
Second, The proxy can only forward traffic based on layer 3, not layer 4 settings. Meaning, it cannot transparently proxy for only a specific TCP port. It only forwards based on IP addresses.
It sounds to me like you want a router that will send http traffic straight to the internet, and all other traffic over a tunnel. Is that correct? If so, that's not called a transparent proxy. That's just a router.
At this point, if you would, clarify exactly what you are trying to do so I can provide a config change to match.
I have a gut feeling that we'll set up policy-based routing in order to handle what you are looking for. Please let me know what you are trying to set up?
I have a gut feeling that we'll set up policy-based routing in order to handle what you are looking for. Please let me know what you are trying to set up?
Dear Brain2000:
I want to send only http traffic to the proxy ,and all other traffic straight to the internet
I think I'm getting it now. That's not s transparent proxy. That's an http proxy server.
You need policy based routing on the router. It will allow all to flow through except port 80, which will go to the http proxy instead. I need to know a couple things to make you some config changes. One, how is the http proxy hooked to the internet? Does it also go through the router or do you have a second line? Also, I need the IP address of the http proxy.
You need policy based routing on the router. It will allow all to flow through except port 80, which will go to the http proxy instead. I need to know a couple things to make you some config changes. One, how is the http proxy hooked to the internet? Does it also go through the router or do you have a second line? Also, I need the IP address of the http proxy.
Sorry for the delay. I've been out for a couple of days.
Assume the ethernet interface is fa0/0. We'll route both HTTP and HTTPS traffic through the proxy server. Also, your router must have an IP address on the same subnet as the http proxy. For example, 62.68.64.1/24.
interface fa0/0
ip policy route-map PROXY
!
ip access-list extended OUTBOUND_HTTP
remark *** THE PROXY ITSELF MUST BE ABLE TO PASS 80/443 THROUGH ***
deny tcp host 62.68.64.10 any
remark *** BUT ALL OTHER SYSTEMS MUST BE CAUGHT TO REDIRECT TO THE PROXY ***
permit tcp any any eq 80
permit tcp any any eq 443
!
route-map PROXY permit 10
match ip address OUTBOUND_HTTP
set ip next-hop 62.68.64.10
!
Assume the ethernet interface is fa0/0. We'll route both HTTP and HTTPS traffic through the proxy server. Also, your router must have an IP address on the same subnet as the http proxy. For example, 62.68.64.1/24.
interface fa0/0
ip policy route-map PROXY
!
ip access-list extended OUTBOUND_HTTP
remark *** THE PROXY ITSELF MUST BE ABLE TO PASS 80/443 THROUGH ***
deny tcp host 62.68.64.10 any
remark *** BUT ALL OTHER SYSTEMS MUST BE CAUGHT TO REDIRECT TO THE PROXY ***
permit tcp any any eq 80
permit tcp any any eq 443
!
route-map PROXY permit 10
match ip address OUTBOUND_HTTP
set ip next-hop 62.68.64.10
!
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
(on the datacenter proxy router)
Interface Tunnel10
ip address 10.0.0.1 255.255.255.252
On the router at the other end of the tunnel, you'll need the other tunnel IP address
(at the remote site where the tunnel is hooked to)
Interface Tunnel10
ip address 10.0.0.2 255.255.255.252
Now make sure you can ping 10.0.0.1 from the datacenter router, and vice versa. If you can't, check the tunnel source/destination that they are valid.
Now, you are going to have to add another subnet to your 192.168.250.x/24 subnet. For example, you can have 192.168.250.x/23 at the computers located at the remote site, and 192.168.251.x/23 at the computers located at the datacenter. However, the router will need to have the subnets set at /24. That way the router will know how and when to route them, yet the computers at both sides can communicate as if they were in the same subnet.
Make sure proxy-arp is enabled at the datacenter and add a static route to the remote 192.168.251.x network.
Interface Ethernet1/0
ip proxy-arp
ip route 192.168.251.0 255.255.255.0 10.0.0.2
At the remote router, set the IP address on it's LAN to the following:
Interface Ethernet1/0 (assuming this is the LAN interface on that router)
ip address 192.168.251.1 255.255.255.0
ip proxy-arp
ip route 192.168.250.0 255.255.255.0 10.0.0.1
Make sure you can ping both 192.168.251.1 and 192.168.250.1 from either router. This traffic should be traveling through the tunnel.
Set up computers at the datacenter with 192.168.250.x 255.255.254.0 and the computers at the remote location with 192.168.251.x 255.255.254.0.
If all went well up to this point, the computers from both labs should be able to ping each other as if they were on the same subnet.
Also, you can probably remove this line, unless you still need it for some reason.
ip nat inside source static 192.168.250.1 192.168.250.2