Is the FAQ right on how to set up transparent proxying with Cisco ???

From: Armistead, Jason <ARMISTEJ@dont-contact.us>
Date: Thu, 15 Jan 1998 18:02:00 -0500

Hi

I have a question about the FAQ, in relation to its accuracy.

        Transparent proxying with Cisco

        by John Saunders

[snip lead in stuff]

        First define a route map with a name of proxy-redirect (name
doesn't matter) and specify the next hop to be the machine
        Squid runs on.

                !
                route-map proxy-redirect permit 10
                 match ip address 110
                 set ip next-hop 203.24.133.2
                !

OK, I agree with this

        Define an access list to trap HTTP requests. The first line
allows the Squid host direct access so an routing loop is not formed.

I think this statement is wrong. The first line DENIES the cache host
203.24.132.2 from accessing WWW (port 80) ports on any target host.

                !
                access-list 110 deny tcp host 203.24.133.2 any eq www
                access-list 110 permit tcp any any eq www
                !

This is the other bit I don't agree with. Surely the cache host (in the
example 203.24.133.2) should be PERMITted to access the www port ? And
the rest given a DENY.

Or, am I confused because we don't want the cache host to be looped back
to itself by the MATCH in the ROUTE-MAP ? In any case the access-list
substance itself is right, but the comments about the access-list are
misleading (and wrong)

        Apply the route map to the ethernet interface.

                !
                interface Ethernet0
                 ip policy route-map proxy-redirect
                !

Again, this looks OK to me.

Perhaps an addition to the FAQ which explains HOW it works would help
e.g. packet from client goes to router, router checks source IP address
in access-list, sends it using next-hop to the proxy server. Packet
from proxy server goes to router, router checks source IP address in
access-list, sees that it matches proxy server, so doesn't allow the
route-map to work because proxy server is denied, so packet goes on its
way to BRI/Serial port via normal routing tables.... (I make no claim
that this description is correct, just a first draft example to
stimulate thoughts)

Anyone else care to comment/explain to a poor mortal such as I trying to
work out the inner secrets of Cisco IOS ?

Regards

Jason
Received on Thu Jan 15 1998 - 15:06:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:27 MST