Redirecting all Outgoing http traffic to an internal Web server

You can't do that with PIX 6.x, at least not without purchasing WebSense or N2H2 . I don't know if it could be done with PIX 7.x.

Hmmm, one trick that just might work with PIX 6 is to configure authentication requirements for traffic on outbound port 80 except from your proxy server, with the RADIUS server just refusing to authenticate and using a reply message that told the user to contact your IS.

Here's a site that has a FreeRadius and PIX configuration sample you could adapt; it isn't designed exactly for what you are looking for, but it should give a good starting point.

Usually if people want to enforce Proxy server, they just disable users access to HTTP Port. If you allow only Proxy server to go to web pages, then users will have no choice to use Proxy.

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, Sun SCSA, Checkpoint CCSA, etc.

------ Headset Adapters for Cisco IP Phones

I know I can turn off port 80 at any time for everything but the proxy, but what I was trying to do is let the users know that the "Internet is not broken", you just need to get setup with the proxy, or as a reminder to people who have been going around the proxy that they need to use it.

Thanks,

There may be a way to use PAT (port address translation) Would have port 80 PAT to other port, like 8080 on the WEB server. PAT would reference an ACL that would except all but the proxy IP Not sure if this will would work like you want.

No, that won't work on a PIX or ASA.

When you configure a translation, you have to configure a mask for the destination to be matched. When the translation is activated, the actual destination is masked with that mask to find the host offset within the network, and that same host offset is used relative to the address to be translated to. For example, if you translated 192.168.56.0 255.255.255.0 to 33.44.55.0 and the actual address was 192.168.56.42 then the 192.168.56.0 part would be masked off, giving an offset of 0.0.0.42, which would be added to the target destination 33.44.55.0 to give a final destination of 33.44.55.42 .

Now, because you want to match port 80 "everywhere", you would be using a destination IP of "any", which corresponds to the mask 0.0.0.0 . And any IP address masked with 0.0.0.0 is going to have a host offset equal to the address itself unchanged. So whatever target address you'd specified for the translation would have the original IP address added to produce the translated IP. That's not going to do you much good.

If the PIX 525 is running 6.x, there isn't any way to do with the original poster wants without using Websense or N2H2, or possibly the trick I mentioned in a posting the other day of using url filter combined with a non-existant radius host.

If the PIX 525 is running 7.x, then starting in 7.2(1), WCCP Redirect is supported, and the traffic could be redirected to a server configured for WCCP.

Dears,

If you have a layer 3 that is going to forward the traffic to your pix, you can better configure a policy based route on your L3 saying that any traffic or traffic from specific vlans on port 80 or port

8080 (depending on whats your proxy port) be forwarded to the proxy ip which could be in another vlan. This is the easiest.

So that even if users dont configure proxy, they would be forced to use proxy to surf which means they cannot bypass proxy.

For this to be effective, there should be a single team managing both L3 and pix.

I h> > >>>> I want to be able to redirect all outbound web traffic (except the

We do the same thing at where I work. All we do is block www traffic by all hosts except the proxy server. Then for configuring, we put it in login scripts (I assume you have windows clients) that set the proxy ip address and port. If you have random 'outside' clients, then you'll have to look for something more dynamic. I know you can do redirects with a linux firewall, but I assume you're looking for the cisco solution.

Good luck,

Aaron