Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
4
Helpful
6
Replies

Internet Traffic Change.

ilnaiduccna
Level 1
Level 1

‎02-16-2009 06:21 AM - edited ‎03-06-2019 04:03 AM

Hi Experts,

We have a network 10.xx.xx.xx and the core router for this network is (10.xx.xx.xx), still users in this network accessing internet through ISA (10.*.*.*), but some of them with laptops and workstations can bypass that, just by going to Internet Explorer Internet Settings / Proxy settings.

Here I would like to have all requests to the Internet to go through ISA (10.*.*.*). Can somebody help me in this regard.

Regards,

Naidu.

Labels:
0 Helpful
6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

‎02-16-2009 06:47 AM

Naidu,

You can deploy workstation policies that locks the ability to change the workstation proxy settings.

On the network side, you can block internet traffic for everyone while just allowing the ISA.

__

Edison.

ilnaiduccna
Level 1
Level 1
In response to Edison Ortiz

‎02-17-2009 12:08 AM

Hi Edisonm,

Thanks for your reply.

On the network side, you can block internet traffic for everyone while just allowing the ISA. Can you give me a sample configuration as you can find the Core router & ISA IP's in my post.

Can you use these IP's in your example.

Regards,

Naidu.

0 Helpful

JamesLuther
Level 3
Level 3
In response to ilnaiduccna

‎02-17-2009 12:49 AM

Hello,

Do you have an edge firewall or router with an ACL? You want to apply a firewall or ACL policy at the edge device to only allow http traffic from the ISA.

In IOS then you'd apply an ACL something like this

access-list 101 permit tcp host A.B.C.D any eq 80

interface fa0/0

description inside interface

ip access-group 101 in

Where A.B.C.D = ISA server IP. However if an ACL doesn't exist already then you're going to get a lot of problems when you apply this. You need to also consider DNS, SMTP, NTP etc etc. In that case you could try something like this

access-list 101 permit tcp host A.B.C.D any eq 80

access-list 101 deny tcp any any eq 80

access-list 101 permit ip any any

interface fa0/0

description inside interface

ip access-group 101 in

0 Helpful

ilnaiduccna
Level 1
Level 1
In response to JamesLuther

‎02-17-2009 02:56 AM

Hi James,

As you said in the router access-list 101 should existed or else it will give problems is it right?

if there is no access-list like that can we creat some thing?

Regards,

Naidu.

0 Helpful

JamesLuther
Level 3
Level 3
In response to ilnaiduccna

‎02-17-2009 03:33 AM

Hello,

OK, the question is what do you currently use to protect your internal clients from the internet?

Do you have a firewall? Are you using an ACL on a router?

Regards

0 Helpful

ilnaiduccna
Level 1
Level 1
In response to JamesLuther

‎02-17-2009 11:16 PM

Hi James,

We have Firewall to protect our internal clients from the internet.

Regards,

Naidu.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card