Internet Traffic Change.

Unanswered Question
Feb 16th, 2009

Hi Experts,

We have a network 10.xx.xx.xx and the core router for this network is (10.xx.xx.xx), still users in this network accessing internet through ISA (10.*.*.*), but some of them with laptops and workstations can bypass that, just by going to Internet Explorer Internet Settings / Proxy settings.

Here I would like to have all requests to the Internet to go through ISA (10.*.*.*). Can somebody help me in this regard.

Regards,

Naidu.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Edison Ortiz Mon, 02/16/2009 - 06:47

Naidu,

You can deploy workstation policies that locks the ability to change the workstation proxy settings.

On the network side, you can block internet traffic for everyone while just allowing the ISA.

__

Edison.

ilnaiduccna Tue, 02/17/2009 - 00:08

Hi Edisonm,

Thanks for your reply.

On the network side, you can block internet traffic for everyone while just allowing the ISA. Can you give me a sample configuration as you can find the Core router & ISA IP's in my post.

Can you use these IP's in your example.

Regards,

Naidu.

JamesLuther Tue, 02/17/2009 - 00:49

Hello,

Do you have an edge firewall or router with an ACL? You want to apply a firewall or ACL policy at the edge device to only allow http traffic from the ISA.

In IOS then you'd apply an ACL something like this

access-list 101 permit tcp host A.B.C.D any eq 80

interface fa0/0

description inside interface

ip access-group 101 in

Where A.B.C.D = ISA server IP. However if an ACL doesn't exist already then you're going to get a lot of problems when you apply this. You need to also consider DNS, SMTP, NTP etc etc. In that case you could try something like this

access-list 101 permit tcp host A.B.C.D any eq 80

access-list 101 deny tcp any any eq 80

access-list 101 permit ip any any

interface fa0/0

description inside interface

ip access-group 101 in

ilnaiduccna Tue, 02/17/2009 - 02:56

Hi James,

As you said in the router access-list 101 should existed or else it will give problems is it right?

if there is no access-list like that can we creat some thing?

Regards,

Naidu.

JamesLuther Tue, 02/17/2009 - 03:33

Hello,

OK, the question is what do you currently use to protect your internal clients from the internet?

Do you have a firewall? Are you using an ACL on a router?

Regards

ilnaiduccna Tue, 02/17/2009 - 23:16

Hi James,

We have Firewall to protect our internal clients from the internet.

Regards,

Naidu.

Actions

This Discussion