Re: Redirecting all Outgoing http traffic to an internal Web server
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Fri, 30 Mar 2007 03:04:16 GMT
In article <460C5FF1.7080309@xxxxxxxxx>, MC <mwclarke1@xxxxxxxxx> wrote:
r_elder@xxxxxxxxx wrote:
<r_el...@xxxxxxxxx> wrote in message
news:1175031773.640820.305280@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I want to be able to redirect all outbound web traffic (except the
proxy address) to an internal web server from the Pix 525 firewall.
So the end result will be if a internal user tries to bypass the
proxy, the firewall will forward them to a web server saying the proxy
is not configured and to contact IS.
There may be a way to use PAT (port address translation)
Would have port 80 PAT to other port, like 8080 on the WEB server.
PAT would reference an ACL that would except all but the proxy IP
Not sure if this will would work like you want.
No, that won't work on a PIX or ASA.
When you configure a translation, you have to configure
a mask for the destination to be matched. When the translation
is activated, the actual destination is masked with that mask to
find the host offset within the network, and that same host offset
is used relative to the address to be translated to. For example,
if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0
and the actual address was 192.168.56.42 then the 192.168.56.0
part would be masked off, giving an offset of 0.0.0.42, which would
be added to the target destination 33.44.55.0 to give a final
destination of 33.44.55.42 .
Now, because you want to match port 80 "everywhere", you would be
using a destination IP of "any", which corresponds to the mask 0.0.0.0 .
And any IP address masked with 0.0.0.0 is going to have a host
offset equal to the address itself unchanged. So whatever target
address you'd specified for the translation would have the original
IP address added to produce the translated IP. That's not going
to do you much good.
If the PIX 525 is running 6.x, there isn't any way to do with
the original poster wants without using Websense or N2H2, or
possibly the trick I mentioned in a posting the other day
of using url filter combined with a non-existant radius host.
If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect
is supported, and the traffic could be redirected to a server
configured for WCCP.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/uz_711.htm#wp1416115
.
- Follow-Ups:
- References:
- Redirecting all Outgoing http traffic to an internal Web server
- From: r_elder
- Re: Redirecting all Outgoing http traffic to an internal Web server
- From: headsetadapter.com
- Re: Redirecting all Outgoing http traffic to an internal Web server
- From: r_elder
- Re: Redirecting all Outgoing http traffic to an internal Web server
- From: MC
- Redirecting all Outgoing http traffic to an internal Web server
- Prev by Date: Re: Direct Traffic for certain networks to specific route
- Next by Date: Re: Direct Traffic for certain networks to specific route
- Previous by thread: Re: Redirecting all Outgoing http traffic to an internal Web server
- Next by thread: Re: Redirecting all Outgoing http traffic to an internal Web server
- Index(es):
Relevant Pages
|
