Deny rule from DMZ to Inside not working?

gallwapa · ‎12-26-2008

Hi all,

We want to completely block access to our proxy server for clients that are connected to the VPN. Simply modifying the proxy settings may not be completely effective based on our testing.

Currently our setup is as follows -

Users VPN into DMZ. DMZ has 2 implicit rules. Rule 1 - allow all ip to any less secure network. Rule 2 Deny any/any

I've attempted to add Deny rules to our proxy servers on this list but it doesn't seem to be effective. Adding deny rules to the VPN split tunnel rule doesn't seem to work either. Can anyone give me some tips on what I might be doing wrong?

andrew.prince · ‎12-26-2008

I would think about writing an ACL that blocks the source of the remote VPN clients "outbound" - going out onto the DMZ LAN towards the proxy servers.

HTH>

gallwapa · ‎12-26-2008

If I'm not mistaken, wouldn't the traffic never hit the outbound interface?

DMZ -> Inside -> Proxy server

Proxy Server -> Inside -> DMZ

Or am I mistaken?

andrew.prince · ‎12-26-2008

Sorry you are correct - I was thinking it was actually working a different way!

I would then try adding to the DMZ ACL - to deny the source IP addresses assigned to the remote clients to the destination of the proxy servers, and take it a step further and block on both TCP and UDP ports, something like:-

access-list Block-DMZ line 1 deny tcp w.w.w.w x.x.x.x y.y.y.y z.z.z.z

w.w.w.w = Remote VPN Client IP address

x.x.x.x = Subnet mask

y.y.y.y = Proxy server IP range

z.z.z.z = Subnet mask

HTH>