12-26-2008 09:27 AM - edited 03-11-2019 07:29 AM
Hi all,
We want to completely block access to our proxy server for clients that are connected to the VPN. Simply modifying the proxy settings may not be completely effective based on our testing.
Currently our setup is as follows -
Users VPN into DMZ. DMZ has 2 implicit rules. Rule 1 - allow all ip to any less secure network. Rule 2 Deny any/any
I've attempted to add Deny rules to our proxy servers on this list but it doesn't seem to be effective. Adding deny rules to the VPN split tunnel rule doesn't seem to work either. Can anyone give me some tips on what I might be doing wrong?
12-26-2008 09:40 AM
I would think about writing an ACL that blocks the source of the remote VPN clients "outbound" - going out onto the DMZ LAN towards the proxy servers.
HTH>
12-26-2008 09:43 AM
If I'm not mistaken, wouldn't the traffic never hit the outbound interface?
DMZ -> Inside -> Proxy server
Proxy Server -> Inside -> DMZ
Or am I mistaken?
12-26-2008 10:03 AM
Sorry you are correct - I was thinking it was actually working a different way!
I would then try adding to the DMZ ACL - to deny the source IP addresses assigned to the remote clients to the destination of the proxy servers, and take it a step further and block on both TCP and UDP ports, something like:-
access-list Block-DMZ line 1 deny tcp w.w.w.w x.x.x.x y.y.y.y z.z.z.z
w.w.w.w = Remote VPN Client IP address
x.x.x.x = Subnet mask
y.y.y.y = Proxy server IP range
z.z.z.z = Subnet mask
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide