[c-nsp] Forwarding http traffic to web filtering service
Bill Nash
billn at billn.net
Wed Jun 20 11:02:27 EDT 2007
If your device doesn't support WCCP, you can emulate this with a NAT
directive in your ASA. I don't know the specific syntax offhand (I've no
PIX's in my network, but the iptables equivalant is:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
192.168.100.1:3128
I don't think your route-map option will work, incidentally, unless you're
changing the next-hop to the inside interface of a NAT layer that
implements what I describe above.
- billn
On Wed, 20 Jun 2007, Adrian Chadd wrote:
> On Wed, Jun 20, 2007, Brian wrote:
> > We're trying to forward all http traffic to a web filtering service on the
> > Internet. They require the http traffic forwarded to a name and then
> > forwarded to port 3128. I was thinking of creating a route-map and setting
> > the next-hop to be the IP address. How can I also forward this traffic to a
> > specific port from my router (or my ASA) so it acts somewhat like a proxy?
> > Also, is there a way to point to the name rather than an IP address?
>
> Look at WCCPv2 support. Almost all cisco routers these days support it
> in some form or other. (My 827 here at home, for example, doesn't. :)
> I believe later ASA (7.x?) supports WCCPv2.
>
> Many web proxies have WCCP/WCCPv2 support. I can help you with Squid, if
> thats what it is on port 3128, or you can talk to your vendor.
>
> With WCCPv2, the proxy actually asks the router (nicely!) to join the
> service group; so you don't have to hard-code in an IP in the router
> (unless you specifically lock it down with an ACL) and you can use
> MD5 passwords to further limit joining the service group. You can
> (assuming the proxy software supports it) run >1 proxy talking to >1
> router. This gives you failover and load balancing/distribution.
> (Which is what I guess you want to point it at a name for rather
> than an IP address.)
>
> All in all, its a much better alternative to route-map next-hop
> forwarding. Although there's apparently a method to do a conditional
> next-hop depending on a rtr object (ICMP ping, for example) but the
> one setup I wanted to use it for (on the 3560 switch) turned out to
> be documented, but then documented as a documentation mistake and
> not implemented.
>
>
>
> Adrian
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list