P and FTP Proxy caching Using a Cisco Cache Engine 550 an



Similar documents
Configuring the Cisco Secure PIX Firewall with a Single Intern

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Configuring the Cisco PIX Firewall for SSH by Brian Ford

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Cisco Secure PIX Firewall with Two Routers Configuration Example

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Sample Configuration Using the ip nat outside source static

BRI to PRI Connection Using Data Over Voice

Securing Networks with PIX and ASA

Virtual Fragmentation Reassembly

Cisco ASA, PIX, and FWSM Firewall Handbook

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Sample Configuration Using the ip nat outside source list C

Lab Exercise Configure the PIX Firewall and a Cisco Router

PIX/ASA 7.x with Syslog Configuration Example

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Configuring Static and Dynamic NAT Simultaneously

Configuring the CSS and Cache Engine for Reverse Proxy Caching

Table of Contents. Configuring IP Access Lists

Firewall Stateful Inspection of ICMP

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Firewall Authentication Proxy for FTP and Telnet Sessions

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Lab Configuring Syslog and NTP (Instructor Version)

2.0 HOW-TO GUIDELINES

Cisco Configuring Commonly Used IP ACLs

Document ID: Introduction

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Skills Assessment Student Training Exam

Lab Configure Basic AP Security through IOS CLI

INTRODUCTION TO FIREWALL SECURITY

HTTP 1.1 Web Server and Client

The information in this document is based on these software and hardware versions:

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Cisco ASA Configuration Guidance

TotalCloud Phone System

Lab Organizing CCENT Objectives by OSI Layer

Lab Developing ACLs to Implement Firewall Rule Sets

BorderWare Firewall Server 7.1. Release Notes

Configuring the PIX Firewall with PDM

Using a Sierra Wireless AirLink Raven X or Raven-E with a Cisco Router Application Note

Configuring DNS on Cisco Routers

Reverse Proxy Caching

NAT TCP SIP ALG Support

Introduction to Computer Security Benoit Donnet Academic Year

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Troubleshooting the Firewall Services Module

Table of Contents. Cisco Configuring a Basic MPLS VPN

- The PIX OS Command-Line Interface -

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Troubleshooting the Firewall Services Module

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall Support for SIP

Remote Access VPN Business Scenarios

Configuring InterVLAN Routing and ISL/802.1Q Trunking on Catalyst 2900XL/3500XL/2940/2950/2970 Series Switches Using an External Router

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

Troubleshooting PIX Device Manager

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Configuring a Leased Line

Lab Diagramming External Traffic Flows

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Configuring Modem Transport Support for VoIP

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Firewalls. Chapter 3

Using the NetVanta 7100 Series

Barracuda Networks Web Application Firewall

About Cisco PIX Firewalls

Proxies. Chapter 4. Network & Security Gildas Avoine

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Prestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement

Leased Line PPP Connections Between IOS and HP Routers

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Chapter 2 Connecting the FVX538 to the Internet

Volume SYSLOG JUNCTION. User s Guide. User s Guide

LAN-Cell to Cisco Tunneling

LifeSize Video Communications Systems Administrator Guide

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Lab Load Balancing Across Multiple Paths Instructor Version 2500

Configure ISDN Backup and VPN Connection

Lab Introductory Lab 1 Getting Started and Building Start.txt

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

isco Connecting Routers Back to Back Through the AUX P

Transcription:

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Table of Contents HTTP and FTP Proxy caching Using a Cisco Cache Engine 550 and a PIX Firewall...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 Background Theory...2 Configure...2 Network Diagram...2 Configurations...3 Verify...6 2600 Router...6 Troubleshoot...7 2600 Router...7 Related Information...8 i

HTTP and FTP Proxy caching Using a Cisco Cache Engine 550 and a PIX Firewall Introduction Before You Begin Conventions Prerequisites Components Used Background Theory Configure Network Diagram Configurations Verify 2600 Router Troubleshoot 2600 Router Related Information Introduction This tech note shows you how to set up a Cisco Cache Engine 550 to perform Hypertext Transfer Protocol (HTTP) / File Transfer Protocol (FTP) caching for Multipurpose Internet Mail Extensions (MIME) file types (RFC 2046) and for FTP directory listings. Before You Begin Conventions For more information on document conventions, see the Cisco Technical Tips Conventions. Prerequisites There are no specific prerequisites for this document. Components Used The information in this document is based on the software and hardware versions below. Cisco Cache Engine 550 running Cisco Cache Software Release 2.51 Cisco 2600 Router running Cisco IOS Software Release 12.2 Cisco PIX Firewall running Secure PIX Firewall Software Release 6.0(1) Web server running Internet Information Server 4.0 on Windows NT 4.0 SP6a

The inside clients need to explicitly configure their browsers to use a manual HTTP/FTP proxy to the IP address of the Cache Engine on a specified port. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it. Background Theory Inside clients need to explicitly configure their browsers to use a manual HTTP/FTP proxy to the IP address of the Cache Engine on a specified port. Specifically, the Cache Engine handles ftp:// style FTP requests over HTTP transport in proxy mode in passive and active mode and in an anonymous and authenticated mode (RFC 1738). The Private Internet Exchange (PIX) firewall in front of the Cache Engine allows HTTP/FTP traffic coming only from the single IP address of the Cache Engine. This means that clients cannot HTTP/FTP directly to the outside. Because all requests come from just one IP address, the Cache Engine enforces the security policy of who and who is not allowed to HTTP/FTP outside. Configure In this section, you are presented with the information to configure the features described in this document. Note: To find additional information on the commands used in this document, use the IOS Command Lookup tool. Network Diagram This document uses the network setup shown in the diagram below.

Configurations This document uses the configurations shown below. Cache Engine 550 Running Cisco Cache Software Release 2.51 hostname tikka interface ethernet 0 ip address 10.10.10.50 255.255.255.0 ip broadcast address 10.10.10.255 bandwidth 10 halfduplex exit interface ethernet 1 exit ip default gateway 10.10.10.1 ip name server 144.254.15.102 ip domain name cisco.com ip route 0.0.0.0 0.0.0.0 10.10.10.1 inetd enable ftp 12 cron file /local/etc/crontab clock timezone CET 7 0 no bypass load enable http max ttl hours text 4 binary 8 http proxy incoming 8080

radius server authtimeout 21 radius server key **** authentication login local enable authentication configuration local enable rule no cache url regex.*cgi bin.* rule no cache url regex.*aw cgi.* ftp proxy anonymous pswd **** ftp proxy incoming 8080 PIX Version 6.0(1) PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix cache fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access list restrict access out permit ip host 10.10.10.50 any access list restrict access out deny ip any any This access list is allowing any IP traffic for the CE (UDP DNS queries are also needed to go through the PIX). pager lines 24 logging on logging buffered debugging interface ethernet0 10baset interface ethernet1 10baset interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 172.17.241.47 255.255.255.0 ip address inside 8.8.8.2 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 172.17.241.48 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 The lines nat and global are meant for any other traffic that is not supposed to be proxied by the CE (mail for example), but you would need to explicitly define

an entry in the restrict access out ACL to permit these outbound connections. access group restrict access out in interface inside static (inside, outside) 172.17.241.50 10.10.10.50 This static would be used to statically map the CE to a specific external address. route outside 0.0.0.0 0.0.0.0 172.17.241.1 1 route inside 10.10.10.0 255.255.255.0 8.8.8.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa server TACACS+ protocol tacacs+ AAA server RADIUS protocol radius no snmp server location no snmp server contact snmp server community public no snmp server enable traps floodguard enable no sysopt route dnat telnet 10.10.10.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:7f08b39173bbe1302bd24273973c89de : end [OK] 2600 version 12.2 service timestamps debug uptime service timestamps log uptime no service password encryption hostname suicide enable password ww username all ip subnet zero no ip domain lookup cns event service server interface FastEthernet0/0 ip address 8.8.8.1 255.255.255.0 no ip route cache no ip mroute cache speed 10 half duplex interface Serial0/0

no ip address shutdown no fair queue interface FastEthernet0/1 ip address 10.10.10.1 255.255.255.0 no ip route cache no ip mroute cache speed 10 half duplex interface Serial0/1 no ip address shutdown ip classless ip route 0.0.0.0 0.0.0.0 8.8.8.2 ip http server line con 0 exec timeout 0 0 transport input none line aux 0 line vty 0 4 password ww login no scheduler allocate end Verify This section provides information you can use to confirm your configuration is working properly. Certain show commands are supported by the Output Interpreter tool, which allows you to view an analysis of show command output. 2600 Router You do not need to configure the 2600 router for FTP proxy caching. In this example, the router only relays inbound/outbound packets. The following example shows how to set FTP proxy caching to an external FTP server. With HTTP, the procedure is the same. The client configures the FTP proxy in the browser, pointing it to 10.10.10.50:8080. All traffic goes through the Cache Engine. In the PIX, configure a static (with no conduit) for the Cache Engine. Users cannot access FTP sites without using the Cache Engine as a proxy. The following partial configuration shows an example of how to do this. pix cache# pix cache# show xlate 1 in use, 1 most used Global 172.17.241.50 Local 10.10.10.50 static pix cache# show conduit pix cache# show outbound pix cache# To enforce a security policy and block specific clients to access FTP to the outside, use the rule block command.

rule block src ip 10.10.10.11 255.255.255.0 You can view the statistics of the traffic being cached (FTP hits) by using the show statistics ftp command in the Cache Engine. tikka#show statistics ftp FTP Statistics FTP requests Received = 27 FTP Hits Requests Percentage Number of hits = 17 63.0 % Bytes = 358209 39.6 % FTP Misses Requests Percentage Number of misses = 10 37.0 % Bytes = 547368 60.4 % Requests sent to Outgoing Proxy = 0 Requests sent to origin ftp server = 10 FTP error count = 0 Troubleshoot This section provides information you can use to troubleshoot your configuration. 2600 Router The following logs came from the Cache Engine upon the request issued in the client browser. tikka#debug http header all tikka#debug ftp packets tikka# Http request headers received from client: GET ftp://172.17.241.216/sample.txt HTTP/1.0 Referer: ftp://172.17.241.216/ Proxy Connection: Keep Alive User Agent: Mozilla/4.75 [en] (WinNT; U) Pragma: no cache Host: 172.17.241.216 Accept: image/gif, image/x xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept Encoding: gzip Accept Language: en Accept Charset: iso 8859 1,*,utf 8 Mon Jul 2 06:40:59 2001: GET ftp://172.17.241.216/sample.txt HTTP/1.0 Referer: ftp://172.17.241.216/ Proxy Connection: Keep Alive User Agent: Mozilla/4.75 [en] (WinNT; U) Pragma: no cache Host: 172.17.241.216 Accept: image/gif, image/x xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept Encoding: gzip Accept Language: en Accept Charset: ISO 8859 1,*,utf 8 Send Cmd : USER anonymous Mon Jul 2 06:40:59 2001: Send Cmd : USER anonymous Send Cmd : PASS XXXX Mon Jul 2 06:40:59 2001: Send Cmd : PASS XXXX Send Cmd : CWD sample.txt

Mon Jul 2 06:40:59 2001: Send Cmd : CWD sample.txt Send Cmd : MDTM sample.txt Mon Jul 2 06:40:59 2001: Send Cmd : MDTM sample.txt get_reply_info(): Last Modified Time : 1942132164 Mon Jul 2 06:40:59 2001: get_reply_info(): Last Modified Time : 1942132164 Send Cmd : TYPE A Mon Jul 2 06:40:59 2001: Send Cmd : TYPE A Send Cmd : PASV Mon Jul 2 06:40:59 2001: Send Cmd : PASV Send Cmd : RETR sample.txt Mon Jul 2 06:40:59 2001: Send Cmd : RETR sample.txt Send Cmd : QUIT Mon Jul 2 06:41:00 2001: Send Cmd : QUIT Related Information Cisco CSS 11000 Series Product Support Page Technical Support Cisco Systems All contents are Copyright 1992 2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Oct 30, 2002 Document ID: 12560

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information