I have a Cisco Web Security Virtual Appliance that will be doing content filtering and monitoring.
I need help configuring policy based routing to send web traffic ports 80, 8080, 443, 3128 to appliance and all other traffic (DNS, UDP etc) to another GW.
Thanks,
Greg
Create an access list:
ip access-list extended webfilter-list
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 8080
....
Create a route map:
route-map webfilter-map permit 10
match ip address webfilter-list
set ip next-hop ip.of.filter.box
route-map webfilter-map permit 20
Apply that route-map to the inside interface where the browsers live.
interface eth 0/2
ip policy route-map webfilter-map
There is one more thing you will need to do, and we need more information about the appliance. How does the filter appliance get to the Internet to pass the clean traffic through? Does it have a separate interface? Does it do NAT? You'll need to take some action to ensure that the inspected traffic isn't subject to the route-map or it will just loop to itself.
Good luck. John Gilmore's 1993 quote is still applicable today 21 years later. John Gilmore - Wikiquote
That should be fairly easy.
1. You just need to configure the other gateway as the default route.
2. Then you need to create an ACL that matches the desired traffic you want to filter (80, 8080, 443, etc.).
3. Create a route-map. Have the route map match the ACL you created. Have the route-map set the next hop to be the address of the web filtering appliance.
4. Assign the route map to the interface that the traffic is coming from.
There is pretty good documentation on PBR https://supportforums.adtran.com/docs/DOC-3587
I can give you an example if you need one. Keep in mind, that PBR does use CPU resources so it could impact the router's performance if we are looking at a high traffic volume.
R\
Create an access list:
ip access-list extended webfilter-list
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 8080
....
Create a route map:
route-map webfilter-map permit 10
match ip address webfilter-list
set ip next-hop ip.of.filter.box
route-map webfilter-map permit 20
Apply that route-map to the inside interface where the browsers live.
interface eth 0/2
ip policy route-map webfilter-map
There is one more thing you will need to do, and we need more information about the appliance. How does the filter appliance get to the Internet to pass the clean traffic through? Does it have a separate interface? Does it do NAT? You'll need to take some action to ensure that the inspected traffic isn't subject to the route-map or it will just loop to itself.
Good luck. John Gilmore's 1993 quote is still applicable today 21 years later. John Gilmore - Wikiquote
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor