http forward to proxy

Reply
L6 Presenter

Re: http forward to proxy

Cant you in the Translated Packet -> Destination Translation just leave the ip address blank and put in a value for translated port?

Highlighted
Not applicable

Re: http forward to proxy

Nope.

If you leave blank the destination adresse you could not click on OK.

But what I need is to NAT the destination address (any) to the proxy adresse which is not possible...

I think there is no way to forward http communication to a proxy server... (not possible with PBF or NAT).

L6 Presenter

Re: http forward to proxy

Again that depends on how you have setup your proxy.

If you proxy is a non-transparent one (see previous posts in this thread for an example of the differences) then you can just make the PA to force the traffic into the proxy by specify translated address into proxyip:proxyport.

But if you use a webproxy in transparent mode changing the dstport will break things in how the webproxy will handle the traffic.

This is what will happen (when things go bad if you try to change dstport when using a transparent proxy):

1) Your client wants to go to http://www.google.com and your dns resolver replies to the client with 173.194.71.105.

2) Client will now try to establish a tcp connection towards 173.194.71.105:80.

3) Traffic goes through your PA who (what you request if I understood your question correctly) will change dstport from 80 into 8080. So on the other end of the PA the packet has now 173.194.71.105:8080.

4) Traffic reaches your transparent proxy who accepts it and process it. On the other side of the transparent proxy the session which the proxy tries to establish will go to 173.194.71.105:8080 and not 173.194.71.105:80.

5) Since www.google.com [173.194.71.105] doesnt listen to TCP8080 the traffic cannot be established from the proxy and the proxy will reply to the client "ERROR: server unreachable" (or similar).

Now, in order for a DNAT redirecting traffic into your proxy (with changed dstport) to function you must configure it to non-transparent mode (and configure the clients to use proxy). Meaning that the proxy will look within the http header instead of ip header on where to make the outbound connection.

Another solution is to configure your transparent proxy to listen to TCP80 (and TCP443 and other ports you might expect http traffic on) which when using DNAT you will leave "translated port" empty and things will work...

Not applicable

Re: http forward to proxy

Hope I correclty understand your reply but I'm not agree with:


"Another solution is to configure your transparent proxy to listen to TCP80 (and TCP443 and other ports you might expect http traffic on) which when using DNAT you will leave "translated port" empty and things will work..."

Because you could not DNAT destination IP if you don't know the IP address of the orginal packet.

And, of course, you could not set "Any" on original paquet dest. IP and the proxy IP on translated destination IP (Mismatch of destination address translation range between original address and translated address).


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!