1. Home
  2. Cisco Systems
  3. Transparent Proxy on C3620

Transparent Proxy on C3620

Hello

I have this situation:

Edge Router - dmz side 172.16.0.14

DMZ Network 172.16.0.0/28 I have here some servers, for example:

172.16.0.1 mail server 172.16.0.8 backup server, etc 172.16.0.7 proxy-server (planned) . listening on port 8080

C3620: ETH1/0 - to DMZ 172.16.0.10/28 ip nat out ETH1/1 - to LAN (aka Main LAN)192.168.1.254/24 ip nat in ETH1/2 - detachment LAN (aka secondary LAN) 192.168.200.1/28 ip nat in

I would like that every user wich connect from the ETH1/1 or from the eth1/2 transparently, withouth configuring anything on the pc, goes via the proxy I have googled and I found the transparent proxy "function".

formatting link
tried to implement it, and tried to test an "smtp-redirect" - to forward every request from the LAN (both primary or secondary) that were directed to a remote smtp server (TCP 25) to the mail server that sits in the DMZ

I configured in this way (this is a summary of the config of the C3620 with NM-4E and a NM-1FE-TX and 12.3(24) IOS)

! interface Ethernet1/0 description DMZ Link ip address 172.16.0.10 255.255.255.240 ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nat outside ip inspect OUT-IN in no ip mroute-cache full-duplex no cdp enable hold-queue 100 in hold-queue 100 out ! interface Ethernet1/1 description LAN Ethernet Link ip address 192.168.1.254 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nat inside ip inspect IN-OUT in no ip mroute-cache ip policy route-map smtp-redirect full-duplex no cdp enable hold-queue 100 in hold-queue 100 out ! interface Ethernet1/2 description Wireless Link Point-to-Point to Santerno (RA) ip address 192.168.200.1 255.255.255.240 ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nat inside ip inspect IN-OUT in no ip mroute-cache half-duplex no cdp enable hold-queue 100 in hold-queue 100 out ! interface Ethernet1/3 no ip address shutdown half-duplex ! ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation udp-timeout 100 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation icmp-timeout 120 ip nat inside source list 102 interface Ethernet1/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 172.16.0.14 ! ! logging history debugging logging trap debugging logging facility syslog logging 192.168.1.2 access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 102 deny ip 192.168.200.0 0.0.0.15 192.168.1.0 0.0.0.255 access-list 102 permit ip 192.168.200.0 0.0.0.15 any access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 130 deny tcp any any neq smtp access-list 130 deny tcp host 172.16.0.1 any access-list 130 permit tcp any any no cdp run ! route-map smtp-redirect permit 10 match ip address 130 set ip next-hop 172.16.0.1

I am not able to let it work. In this "example" I tried to redirect every smtp request (to remote 25) to the mailserver in DMZ. I am not able to do that...

My planned Idea is that every request going to remote port 80 or 443 to be redirected to 172.16.0.7:8080

Thank you to anyone would help me :)

Reply to
Elia Spadoni
Loading thread data ...

In article , Elia Spadoni wrote: [..]

A SMTP redirect is more complicated than this...

formatting link
http is much easier because of WCCP

formatting link
alan

Reply to
Alan Strassberg

Hello, I don't want to get it complicated..

I just wanted to forward any request from the lan client (from the canonic fast0/0 -> serial0/0 for example) to remote ports 80 and 443 to an IP in my dmz (on the router fast0/1) to port 8080.

I am not able to find the right syntax

Reply to
Elia Spadoni

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.