Re: Transparent proxying woes (IOS 11.1(12) on a 4500)

From: Ahsan Khan <ahsank@dont-contact.us>
Date: Tue, 13 Jun 2000 23:30:56 +0500

    Then the best way is that do not disturb your Cisco access-group . What
best for you is then that make your Linux Machine gateway for users and use
ipchains for traffic redirection . It will be much better and your network
structure will not disturb.

With Regards
Ahsan Khan
Sr. System Admin
Internet Division (OneNet)
Sun Communication Pvt. Ltd.
Pakistan
http://www.one.net.pk

----- Original Message -----
From: "Chris Tilbury" <Chris.Tilbury@warwick.ac.uk>
To: <squid-users@ircache.net>
Sent: Tuesday, June 13, 2000 1:30 PM
Subject: RE: Transparent proxying woes (IOS 11.1(12) on a 4500)

>
> Ahsan Khan (ahsank@one.net.pk) wrote:
> |
> | I am not sure if you have put the route map on your Ethernet
interface.??
> |
> | !
> | interface Ethernet0
> | ip policy route-map proxy-redirect
> | !
> |
> | Did you .??
>
> No, because we're not using an Ethernet interface. We're using Fddi, so
it's
> applied to that :-)
>
> Our CISCO chappie is looking again at this. I did some digging last night
> (ciscos are scary beasts and I don't normally touch them!) and it seems
that
> an access-group we have for security reasons on that same interface is
> colliding with the ip next-hop - the interface doesn't let traffic flow
out
> from it with a src IP address of 137.205.0.0. So the route-map is
matching,
> setting the next hop, the packet is duly being sent out and then dropped
by
> the access group.
>
> He's having a think as to how we can rework our security stuff to avoid
this
> (applying it in the inverse direction to the logically opposite interface
> seems like the best bet at present).
>
>
>
>
>
> Chris
>
> --
> Chris Tilbury, IT Services, University of Warwick, Coventry, UK
> PHONE: 024 7652 3365 / FAX: 024 7652 2367 / MAIL:
> Chris.Tilbury@warwick.ac.uk
>
Received on Tue Jun 13 2000 - 12:28:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:01 MST