Question

Locked

Require web traffic through proxy with exceptions on Cisco IOS

By michael ·
I have a Cisco 871w router that provides my SOHO location internet access. I have a proxy/filtering solution as well (Dansguardian installed on an Ubuntu server). I want to require that all web-bound (port 80/443) traffic goes through the proxy, but need to provide some exceptions as certain OK sites don't work via the proxy. I have created an access-list that successfully keeps non-proxy traffic from reaching the internet, but it doesn't allow exceptions by domain name (maintaining individual destination IPs as exceptions would be highly unmanageable).

I've looked into Cisco IOS URL filtering, but it doesn't seem to allow permits based on IP address and only blocks or allows entire web sites regardless of source address.

The access-list is below. Does anyone have any ideas on how to accomplish this? Thanks.

ip access-list extended proxy
permit tcp host 192.168.254.253 any eq 80
deny tcp any any eq 80
permit tcp host 192.168.254.253 any eq 443
deny tcp any any eq 443
permit ip any any

Obviously, the proxy server is 192.168.254.253.

IOS version: 12.4(15)T1
(c870-advipservicesk9-mz.124-15.T1.bin)

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

How to

by gerainte_25 In reply to Require web traffic throu ...

Please find a guide here
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_white_paper0900aecd804abb11.html

Hope this helps

Collapse -

IOS URL filtering?

by michael In reply to How to

Thanks. As I eluded to in my original post, I don't think URL filter accomplishes what I'm after. I basically want to tell the router, "block all inside port 80/443 requests unless they come from this specific IP address (the proxy server) unless the request is for one of these websites." Access-lists don't do URLs and URL filtering doesn't match the inside source address to see if it's the proxy server) - it just allows me to list good/bad URLs.

Collapse -

Port 80 blocking

by tony In reply to IOS URL filtering?

Any luck with this?

Collapse -

Any luck?

by michael In reply to Port 80 blocking

No. I don't have too many to exclude, fortunately, so I resolve them to their IP address and allow them that way. Not elegant, but working.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums