1. Home
  2. Cisco Systems
  3. need help with redirecting port 80 traffic

need help with redirecting port 80 traffic

I've been working on this for awhile now, but have bad no progress. I have a small regional Wifi network, the field units (private IP) all talk to a Cisco 7301 where I use ip nat to get them to go out the

7301's public wan interface.

There is a company that I want to work with who can provide web content filtering, as well as access control. So they have a server at their location that I need to forward or redirect all my outbound port

80 traffic to. This server at their location for arguments sake is listening on public IP 5.6.7.9 tcp port 21453.

The company has supported configs for PIX/ASA, but not for Cisco Layer3 switches or routers.

I've looked at nat, ssg, wccp, and cant really find anything that does this. My 7301 is running the latest 12.4 IOS Adv Enterprise Edition.

In addition to my ip nat inside and ip nat outside on the two interfaces, I have:

ip nat inside source list OutboundNat interface FastEthernet1/1 overload

Where Fe1/1 is my WAN link, and OutboundNat matches the private IPs to nat.

Is their a way on the 7301 to easily forward all outbound port 80 traffic to 5.6.7.9 port 21453? The followup to this is all other traffic (not port 80), should go out to the internet as normal.

Now I also have a 3750 Switch much higher in the network topology that actually hands off the traffic to my ISP, so I could also do something at that layer as well, especially if the 7301 load is too much. Right now with my current NAT, the 7301's are at 8% cpu load.

Thanks John

Reply to
essenz
Loading thread data ...

Wow... I stumped the group! I'm at my wits ends with this. The company that provides the filtering has admitted that they have never gotten this to work on a non-ASA or non-PIX device.

They gave me some configs on how to do a dnat, but it still doesn't work because the dnat syntax can only redirect a specific IP port 80 to my external IP port 21453, but I need to match ALL ip's on port 80.

I also looked at route-maps, but if I go that route, I cant change the port?!

Reply to
essenz

I am not aware of anything in a router that will do this. I would look further into policy based routing, but still think this is all traffic and not just port by port. The crux of the issue is that this is not a network problem or solution. What you are really doing here is an internet proxy, and you would set this in active directory to be a setting on the browsers. Any non http traffic would go out as normal, and http would go to this external address. I don't see a way around this, as this is really asking for a router to re-write every port 80 packet to a new destination. I am fairly certain that if another option is available, someone on here will identify it.

Reply to
Trendkill

Perhaps you could use PBR to direct port 80 traffic towards another interface, and upstream from that (new) interface perform your NAT task ?

Reply to
John Agosta

To the OP -

Why don't you post details of the provider and the pix configurations that are supposed to work? The knowledge and understanding required to magically interpret your request (if indeed there is sufficient information to unambiguously interpret it at all) is very substantial.

I suppose that there may be some ip nat outside source statement that might do the job but that would depend on the http containing sufficient information for the 'proxy' to send the packets on to the correct destination.

WCCP Was designed for this - have you asked the provider if they support WCCP?

Reply to
bod43

Do you absolutely have to do this on your Cisco kit? If not, try doing it with iptables:

formatting link

Reply to
alexd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.