Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Similar documents
Three interface Router without NAT Cisco IOS Firewall Configuration

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Sample Business Ready Branch Configuration Listings

Context Based Access Control (CBAC): Introduction and Configuration

How to configure MB5000 Serial Port Bridge mode

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

CONFIGURATION DU SWITCH

Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] Ken Fritz (PSS)

1. Which OSI layers offers reliable, connection-oriented data communication services?

Lab 8.5.2: Troubleshooting Enterprise Networks 2

WCCPv2 and WCCP Enhancements

Configuring Authentication Proxy

Lab Configuring Static Routes Instructor Version 2500

Assignment Six: Configure Hot Standby Router Protocol. Brian Dwyer. Morrisville State College

Configuring Authentication Proxy

CCNA Discovery 3 Chapter 8 Reading Organizer

Seattle Cisco Users Group

Extended ACL Configuration Mode Commands

co Configuring PIX to Router Dynamic to Static IPSec with

Secure ACS Database Replication Configuration Example

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Design and Implementation Plan for Network Based on the ALOHA Point of Sale System. Proposed by Jedadiah Casey. Introduction

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

7 Filtering and Firewalling

Catalyst Switches for Microsoft Network Load Balancing Configuration Example

Configuring Secure (Router) Mode on the Content Switching Module

Implementing Firewall Technologies

Cisco Press CCIE Practical Studies CCIE Practice Lab: Skynet Solutions

Object Groups for ACLs

Chapter 6 Global CONFIG Commands

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

1.1 Configuring HQ Router as Remote Access Group VPN Server

CCNA 1 Chapter 6 v5.0 Exam Answers 2013

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Lab Configuring and Verifying Extended ACLs Topology

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Device Interface IP Address Subnet Mask Default Gateway. Ports Assignment Network

Network security session 9-2 Router Security. Network II

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

Cisco Press CCIE Practical Studies CCIE Practice Lab: Darth Reid Solutions

#include /opt/cscocnsie/templates/ethernet_setup.cfgtpl. Now, you could centralize all the administration for Ethernet configuration in one file.

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Configuring IDS TCP Reset Using VMS IDS MC

VPN Connection through Zone based Firewall Router Configuration Example

CCNA Course Access Control Lists

Lab Troubleshooting IP Address Issues Instructor Version 2500

cable modem dhcp proxy nat on Cisco Cable Modems

Lab b Simple DMZ Extended Access Lists Instructor Version 2500

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

Seattle Cisco Users Group

Object Groups for ACLs

Configure the ASA for Dual Internal Networks

Fractional DS3. Version: 400. Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

CCNA Security 1.0 Student Packet Tracer Manual

Teacher s Reference Manual

RealCiscoLAB.com. Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions

Configuring the Eight-Port FXS RJ-21 Module

CCNA Security PT Practice SBA

CCNA 1 Final Exam Answers UPDATE 2012 eg.2

Table of Contents. Cisco NAT Order of Operation

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Configuring Modem Transport Support for VoIP

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Lab Troubleshooting Using traceroute Instructor Version 2500

Table of Contents. isco Configuring 802.1q Trunking Between a Catalyst 3550 and Catalyst Switches Running Integrated Cisco IOS (Nativ

Configuring Commonly Used IP ACLs

Chapter 2. Switch Concepts and Configuration. Part II

2002, Cisco Systems, Inc. All rights reserved.

Lab Student Lab Orientation

Object Groups for ACLs

Exam E1 Copyright 2010 Thaar AL_Taiey

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

IPsec Anti-Replay Window Expanding and Disabling

Lab b Simple Extended Access Lists

Lab Configuring Dynamic and Static NAT (Solution)

Configuring Routes on the ACE

Fundamentals of Network Security v1.1 Scope and Sequence

Lab Catalyst 2950T and 3550 Series Basic Setup

Tech Note: Configuring Q.SIG PRI trunk between Cisco Call Manager and Avaya S8700/G650 with Cisco Unity Voice Mail integration

Cisco Press CCIE Practical Studies CCIE Practice Lab: Enchilada Solutions

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Lab - Troubleshooting VLAN Configurations (Instructor Version Optional Lab)

History Page. Barracuda NextGen Firewall F

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Lab b Standard ACLs Instructor Version 2500

Troubleshooting Network analysis Software communication tests and development Education. Protocols used for communication (10 seconds capture)

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

6 Network Security Elements

Configuring Web Cache Services By Using WCCP

Payload Types At Different OSI Layers: Layer 2 - Frame Layer 3 - Packet Layer 4 - Datagram

Lab - Troubleshooting ACL Configuration and Placement Topology

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Using NAT in Overlapping Networks

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Network Admission Control

Transcription:

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only. Transparently Routing Web Traffic to the Barracuda Web Security Gateway This article demonstrates how to route traffic to the Barracuda Web Security Gateway as a proxy without requiring proxy rules to be pushed out to all clients on the network. This method allows the Barracuda Web Security Gateway to forward HTTPS (443) traffic in addition to standard HTTP traffic, which cannot be done using other methods of transparent proxy routing. The example shown in this article assumes a configuration with a Cisco Router with built-in Firewall Security Module (FWSM), but it should work with any routing equipment supporting (PBR). Text in yellow boxes shows commands that need to be run on the router. Installation of the Barracuda Web Security Gateway For this configuration, you will need to connect the Barracuda Web Security Gateway LAN interface to its own dedicated port on the router. Give the Barracuda Web Security Gateway an IP address in its own dedicated IP subnet, and assign a gateway IP to the router interface that it is connected to. An example network is shown here: Barracuda IP Address: 10.100.3.2/30 gateway 10.100.3.1 Internal Ranges: 10.100.1.0/24 (VLAN_1) 10.100.2.0/24 (VLAN_2) Router Configuration Step 1. Define 2 access lists You must define two access lists because you need to create a route-map for both the internal and external interfaces of the router. These rules describe which clients will be routed to the Barracuda Web Security Gateway. Your routing rules will be different based on whether this is outbound or inbound traffic. [ Inbound ] ip access-list extended HTTP(S)_Proxy_Inbound permit udp any eq domain 10.100.0.0 0.0.255.255 permit tcp any eq 443 10.100.0.0 0.0.255.255 [ Outbound ] ip access-list extended HTTP(S)_Proxy_Outbound permit tcp 10.100.0.0 0.0.255.255 any eq www permit tcp 10.100.0.0 0.0.255.255 any eq 443 1 / 6

Note that this is routing inbound DNS traffic back through the Barracuda Web Security Gateway. This is the key to making policy-based routing work for HTTPS traffic. Step 2. Create route maps Match these route-maps to the access lists you just created. Any traffic matching those lists will have the match rule applied to it. In this case, you are modifying the next-hop for the packet to the Barracuda Web Security Gateway's IP address. Note that you need two route-maps one for inbound traffic, and one for outbound traffic. [ Inbound ] route-map HTTP(S)_Proxy_Inbound permit 10 match ip address HTTP(S)_Proxy_Inbound [ Outbound ] route-map HTTP(S)_Proxy_Outbound permit 20 match ip address HTTP(S)_Proxy_Inbound Step 3. Apply route-maps to the interfaces on your router The inbound route-map you created is applied to the outside (WAN-side) interface on your router/firewall. The outbound route-maps are applied to any internal interfaces on your router/firewall. This includes any subinterfaces that are connected to client networks that need filtering. [ Inbound ] interface FastEthernet0/1 description Test WAN ip address 1.1.1.2 255.255.255.0 ip access-group Inbound_Rules in no ip redirects no ip unreachables ip nat outside ip policy route-map HTTP(S)_Proxy_Inbound [ Outbound ] Note that there are two interfaces listed here one for each VLAN on the test network. The outbound route-map rule needs to be enabled for each internal interface or sub-interface to be filtered. Start with one and test. interface FastEthernet0/0.1 description VLAN_1 encapsulation dot1q 1 ip address 10.100.1.1 255.255.255.0 ip policy route-map HTTP(S)_Proxy_Outbound 2 / 6

interface FastEthernet0/0.2 description VLAN_2 encapsulation dot1q 2 ip address 10.100.2.1 255.255.255.0 ip policy route-map HTTP(S)_Proxy_Outbound Sample Cisco IOS Configuration version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption hostname cisco boot system flash slot1:c3660-ik9o3s-mz.122-32.bin no logging monitor enable secret 5 ********** username seadmin privilege 15 password 7 ********** ip subnet-zero ip wccp web-cache redirect-list WCCP ip ftp username ********** ip ftp password 7 ********** ip domain-name ********** ip audit notify log ip audit po max-events 100 call rsvp-sync fax interface-type fax-mail mta receive maximum-recipients 0 interface FastEthernet0/0 description Test LAN no ip address interface FastEthernet0/0.1 description Barracuda Systems encapsulation dot1q 1 ip address 10.100.1.1 255.255.255.0 3 / 6

ip policy route-map HTTP(S)_Proxy_Outbound interface FastEthernet0/0.2 description Other OS (Windows, Mac, Linux...) encapsulation dot1q 2 ip address 10.100.2.1 255.255.255.0 interface FastEthernet0/0.100 encapsulation dot1q 100 native interface FastEthernet0/1 description CudaSE.net WAN ip address 1.1.1.3 255.255.255.0 secondary ip address 1.1.1.2 255.255.255.0 ip access-group Inbound_Rules in no ip redirects no ip unreachables ip nat outside ip policy route-map HTTP(S)_Proxy_Inbound interface FastEthernet2/0 description HTTP(S) Proxy ip address 10.100.3.1 255.255.255.0 source list Outbound_NAT interface FastEthernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 1.1.1.1 no ip http server ip access-list extended HTTP(S)_Proxy_Inbound permit udp any eq domain 10.100.0.0 0.0.255.255 permit tcp any eq 443 10.100.0.0 0.0.255.255 ip access-list extended HTTP(S)_Proxy_Outbound permit tcp 10.100.0.0 0.0.255.255 any eq www permit tcp 10.100.0.0 0.0.255.255 any eq 443 ip access-list extended Inbound_Rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded permit udp any any gt 1023 permit tcp any any ack deny ip any any ip access-list extended Outbound_NAT permit ip 10.100.1.0 0.0.0.255 any permit ip 10.100.2.0 0.0.0.255 any permit ip 10.100.3.0 0.0.0.255 any 4 / 6

deny ip any any route-map HTTP(S)_Proxy_Inbound permit 10 match ip address HTTP(S)_Proxy_Inbound route-map HTTP(S)_Proxy_Outbound permit 20 match ip address HTTP(S)_Proxy_Outbound dial-peer cor custom line con 0 line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh end 5 / 6

6 / 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback