[c-nsp] Forwarding http traffic to web filtering service

Aman Chugh aman.chugh at gmail.com
Thu Jun 21 01:48:50 EDT 2007


Something like websense, which can sit on any network and work, Websense can
see all traffic from any vlan as it get requests from the router and replies
back to the router and the router routes traffic to the respective ISP'S
based on PBR, is that do able with WCCP capable web proxy.

On 6/21/07, a. Rahman Isnaini r. sutan <risnaini at speed.net.id> wrote:
>
> > Will I be able to
> > use the my local proxy with WCCP for traffic coming from all vlans and
> > then
> > route it through the respective ISP using PBR.
>
> ip wccp webcache redirect out applied on the interface which connected to
> your upstream.
> it can be applied on both and redirect any 80 traffic you want to wccp
> proxy
> server.
> as far as know the server will only represents one IP address which not be
> balanced through two ISPs as it belong to one ISP (one path), cmiiw.
>
> - a. rahman isnaini r. sutan
> speed internet digital
> jakarta, indonesia
>
> ----- Original Message -----
> From: "Aman Chugh" <aman.chugh at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Thursday, June 21, 2007 11:36 AM
> Subject: Re: [c-nsp] Forwarding http traffic to web filtering service
>
>
> > Yes , It would be slow if the proxy is in US and clients in India, I can
> > use
> > a local box . What would be my otpions for a local apart from squid.
> Also
> > will this topology work if I have PBR and two ISP on my router. I have
> > differrent vlans route through differrent ISP'S using PBR. Will I be
> able
> > to
> > use the my local proxy with WCCP for traffic coming from all vlans and
> > then
> > route it through the respective ISP using PBR.
> >
> > ISP 1     ISP 2
> >  |              |
> > Cisco IOS FIREWALL ----- WCCP
> >           |
> >       Switch (VLANS )
> >
> > Thanks for the help.
> >
> > Aman
> >
> > On 6/21/07, Rolf Mendelsohn <rolf-web at cyberops.biz> wrote:
> >>
> >> Hi Guys,
> >>
> >> I strongly suspect that from a Topology perspective the following would
> >> be
> >> best / simplest.
> >>
> >>
> >> OUTSIDE(S)
> >>        |
> >>   Cisco------WCCP_Box
> >>        |
> >> INSIDE(S)
> >>
> >> I would say put it on a seperate ethernet, or Vlan. Then u can ACL it
> for
> >> security, inside/outide packets work that way, easier to troubleshoot
> >> etc.
> >> etc.
> >>
> >> Lastly bear in mind that if u offer 'Dedicated' or CIR bandwidth &
> shared
> >> Bandwidth, then the CIR or Gold, so be denied (via ACL) from being
> >> cached.
> >> Otherwise it falls into the same 'pool' as the rest.
> >>
> >> Also watch out, there are always 1-10 funny/very strange applications,
> >> which
> >> *can* brake in strange ways, So let your customers know that you are
> >> using
> >> a
> >> transparent proxy & if u come across an HTTP related problem, which is
> >> unexplainable, try and deny those addresses from being proxied.
> >>
> >> Also try and deny Prefixes, which are local, i.e. only use the proxy on
> >> your 'expensive' international traffic interface(s)
> >>
> >> HTH
> >> /rolf
> >>
> >> On Wednesday 20 June 2007 21:37:13 Bill Nash wrote:
> >> > Take a look at this:
> >> >
> >>
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-80c70feffdac511
> >> >69ae17379761ad9e32e5025ed
> >> >
> >> > - billn
> >> >
> >> > On Wed, 20 Jun 2007, Brian wrote:
> >> > > How does the WCCP redirect work on the ASA?  I want to forward all
> >> http
> >> > > traffic to a specific IP address on the Internet and also forward
> >> > > that
> >> > > traffic to port 3128.  I don't see a command to point to an IP
> >> > > address
> >> > > under wccp.
> >> > >
> >> > > On 6/20/07, Brian <bms314 at gmail.com> wrote:
> >> > > > Thanks for all the replies.  I will try to enable WCCP on our ASA
> >> later
> >> > > > today.  Does anyone have a working config for this in production?
> >> > > >
> >> > > > On 6/20/07, Bill Nash <billn at billn.net> wrote:
> >> > > > > If your device doesn't support WCCP, you can emulate this with
> a
> >> NAT
> >> > > > > directive in your ASA. I don't know the specific syntax offhand
> >> (I've
> >> > > > > no PIX's in my network, but the iptables equivalant is:
> >> > > > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT
> >> --to
> >> > > > > 192.168.100.1:3128
> >> > > > >
> >> > > > > I don't think your route-map option will work, incidentally,
> >> unless
> >> > > > > you're
> >> > > > > changing the next-hop to the inside interface of a NAT layer
> that
> >> > > > > implements what I describe above.
> >> > > > >
> >> > > > > - billn
> >> > > > >
> >> > > > > On Wed, 20 Jun 2007, Adrian Chadd wrote:
> >> > > > > > On Wed, Jun 20, 2007, Brian wrote:
> >> > > > > > > We're trying to forward all http traffic to a web filtering
> >> > > > > > > service
> >> > > > >
> >> > > > > on the
> >> > > > >
> >> > > > > > > Internet.  They require the http traffic forwarded to a
> name
> >> and
> >> > > > >
> >> > > > > then
> >> > > > >
> >> > > > > > > forwarded to port 3128.  I was thinking of creating a
> >> route-map
> >> > > > > > > and
> >> > > > >
> >> > > > > setting
> >> > > > >
> >> > > > > > > the next-hop to be the IP address.  How can I also forward
> >> this
> >> > > > >
> >> > > > > traffic to a
> >> > > > >
> >> > > > > > > specific port from my router (or my ASA) so it acts
> somewhat
> >> like
> >> > > > > > > a
> >> > > > >
> >> > > > > proxy?
> >> > > > >
> >> > > > > > > Also, is there a way to point to the name rather than an IP
> >> > > > > > > address?
> >> > > > > >
> >> > > > > > Look at WCCPv2 support. Almost all cisco routers these days
> >> support
> >> > > > > > it in some form or other. (My 827 here at home, for example,
> >> > > > > > doesn't. :) I believe later ASA (7.x?) supports WCCPv2.
> >> > > > > >
> >> > > > > > Many web proxies have WCCP/WCCPv2 support. I can help you
> with
> >> > > > > > Squid,
> >> > > > >
> >> > > > > if
> >> > > > >
> >> > > > > > thats what it is on port 3128, or you can talk to your
> vendor.
> >> > > > > >
> >> > > > > > With WCCPv2, the proxy actually asks the router (nicely!) to
> >> join
> >> > > > > > the service group; so you don't have to hard-code in an IP in
> >> the
> >> > > > > > router (unless you specifically lock it down with an ACL) and
> >> you
> >> > > > > > can use MD5 passwords to further limit joining the service
> >> group.
> >> > > > > > You can (assuming the proxy software supports it) run >1
> proxy
> >> > > > > > talking to >1 router. This gives you failover and load
> >> > > > > > balancing/distribution. (Which is what I guess you want to
> >> > > > > > point
> >> it
> >> > > > > > at a name for rather than an IP address.)
> >> > > > > >
> >> > > > > > All in all, its a much better alternative to route-map
> next-hop
> >> > > > > > forwarding. Although there's apparently a method to do a
> >> > > > > > conditional next-hop depending on a rtr object (ICMP ping,
> for
> >> > > > > > example) but the one setup I wanted to use it for (on the
> 3560
> >> > > > > > switch) turned out to be documented, but then documented as a
> >> > > > > > documentation mistake and not implemented.
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > Adrian
> >> > > > > >
> >> > > > > > _______________________________________________
> >> > > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> > >
> >> > > _______________________________________________
> >> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> >
> >> > _______________________________________________
> >> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list