Deny rule from DMZ to Inside not working?

Unanswered Question

Hi all,

We want to completely block access to our proxy server for clients that are connected to the VPN. Simply modifying the proxy settings may not be completely effective based on our testing.

Currently our setup is as follows -

Users VPN into DMZ. DMZ has 2 implicit rules. Rule 1 - allow all ip to any less secure network. Rule 2 Deny any/any

I've attempted to add Deny rules to our proxy servers on this list but it doesn't seem to be effective. Adding deny rules to the VPN split tunnel rule doesn't seem to work either. Can anyone give me some tips on what I might be doing wrong?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Sorry you are correct - I was thinking it was actually working a different way!

I would then try adding to the DMZ ACL - to deny the source IP addresses assigned to the remote clients to the destination of the proxy servers, and take it a step further and block on both TCP and UDP ports, something like:-

access-list Block-DMZ line 1 deny tcp w.w.w.w x.x.x.x y.y.y.y z.z.z.z

w.w.w.w = Remote VPN Client IP address

x.x.x.x = Subnet mask

y.y.y.y = Proxy server IP range

z.z.z.z = Subnet mask



This Discussion