Pix Cut-Through proxy with Private Outside IP
in [Cisco]
|
From: hfamili on 2 Oct 2005 03:09 Our Pix 515 is behind a router that does NAT. The router is forwarding port 443 to the Pix Outside interface of 172.16.80.2. I have the following line to enable the cut-through proxy: aaa authentication include https outside 0.0.0.0 0.0.0.0 RADIUS Using a browser on the net and hitting the router's outside (public) IP on https (443) port, I get Cisco's user login form (white page with a user/password field and a submit button). If I view the source of this page, the submit button has an action of https://172.16.80.2:443.... see the issue? The browser on the web cannot route to that IP... How do I get the Pix to generate the form such that it'll post to the router's public IP? Or does this mean I cannot do cut-through proxy unless the Pix has a public IP on its outside interface? Alex.
From: Walter Roberson on 2 Oct 2005 12:22 In article <1128236989.332046.308480(a)o13g2000cwo.googlegroups.com>, <hfamili(a)yahoo.com> wrote: :Our Pix 515 is behind a router that does NAT. The router is forwarding :port 443 to the Pix Outside interface of 172.16.80.2. :I have the following line to enable the cut-through proxy: :aaa authentication include https outside 0.0.0.0 0.0.0.0 RADIUS :Using a browser on the net and hitting the router's outside (public) IP :on https (443) port, I get Cisco's user login form (white page with a :user/password field and a submit button). If I view the source of this :page, the submit button has an action of https://172.16.80.2:443.... :see the issue? The browser on the web cannot route to that IP... If your router is the device doing the IP translation from the public IP to 172.16.80.2 then it is your router that is responsible for modifying the returned HTML to use the public IP in place of 172.16.80.2 . If your router cannot do HTML rewrites, or if your router cannot do HTTPS rewrites (due to the encryption), then you are using the wrong topology. -- Watch for our new, improved .signatures -- Wittier! Profounder! and with less than 2 grams of Trite!
From: hfamili on 2 Oct 2005 13:57 Thanks for the reply. The router is a Cisco 1721. Do you if it's capable of doing what you are saying? Alex.
From: Merv on 2 Oct 2005 16:25 checkout the IOS firewall CBAC inspect https feature
|
Pages: 1 Next: linksys ipsec with pix 501 6.3 anyone? |