Cut-through proxy on IOS router.

Hello

You probably didn’t know that your Cisco router can also be a proxy.

My PC is on vlan10 with the ip address 192.168.1.224

 

!!!!my home lan, everything on vlan 10 is natted on vlan 20, because on vlan 20 i have my dovado LTE router (192.168.2.1)

interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip access-group 116 in
ip admission ADMISSION
ip nat inside
ip virtual-reassembly in

interface Vlan20
ip address 192.168.2.2 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly in

aaa new-model

!!!i set the authentication method to be local because i don’t have radius server configured currently!!!

aaa authorization auth-proxy default local

!!!user cisco is only for proxy authentications so it has an attribute list!!!

username cisco privilege 15 password 0 cisco
username cisco aaa attribute list cisco

aaa attribute list cisco
attribute type priv-lvl 15 service auth-proxy protocol ip

!!! this is the proxy policy!!!

ip admission name ADMISSION proxy http inactivity-time 60

!!!this is the access list that only permits tcp traffic to the router. Then the router proxies http traffic out to the world. The important thing is to allow dns traffic before the authentication and to set the browser proxy to find proxy automatically rather than have the ”no proxy” default setting

access-list 116 permit udp host 192.168.1.224 any eq domain
access-list 116 permit tcp host 192.168.1.224 host 192.168.1.1
access-list 116 deny tcp host 192.168.1.224 any
access-list 116 deny udp host 192.168.1.224 any
access-list 116 deny icmp host 192.168.1.224 any

And the verification commands…

poswiecka53_edgertr# show ip admission cache
Authentication Proxy Cache
Client Name cisco, Client IP 192.168.1.224, Port 51436, timeout 60, Time Remaining 60, state ESTAB

poswiecka53_edgertr#show ip admission configuration

Authentication Proxy Banner not configured
Consent Banner is not configured
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication global init state time is 2 minutes
Authentication Proxy Session ratelimit is 100
Authentication Proxy Watch-list is disabled

Authentication Proxy Max HTTP process is 7
Authentication Proxy Auditing is disabled
Max Login attempts per user is 30

Authentication Proxy Rule Configuration
Auth-proxy name ADMISSION
http list not specified inactivity-timer 60 minutes

It works beautifully! Now all my users need to log in before they can browse the internet.

 

Two caveats:

If you are changing proxy settings on the router and suddenly your test PC can’t go to the internet, use the show ip admission cache command.

poswiecka53_edgertr#show ip admission cache
Authentication Proxy Cache
Client Name N/A, Client IP 192.168.1.224, Port 52344, timeout 60, Time Remaining 60, state SERVICE_DENIED

If you see this output, shut the int vlan, shut the host port, clear the ip admission cache *, start the browser again. Unless you’ve messed up, the browser should display the authentication windows again.

Also, do not set the browser to ”set proxy to ip address x.x.x.x”. If you do, your browser will get you to the CCP (funny old router management GUI), instead of proxying your traffic.

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s