how to configure

Unanswered Question
Jun 14th, 2010

how to configure the below mentioned ports for the mentioned IPs of webroot proxy on the PIX firewall, so that all inside host should have their browser to use the proxy server, and get to browse the internet after authentication. They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.

Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255  and

Open TCP ports: 3128 and 8080 to the following IP’s and IP Ranges 194.116.198.0 - 194.116.198.255  and 79.125.8.156.

Thanks in advance for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tuhinbhowmick Mon, 06/14/2010 - 06:26

hi Andrew,

Please find below the configuratin that we have made(all the IPs and ports as requested).....

access-list 102 extended permit tcp any 194.116.198.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 194.116.198.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 203.100.58.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 203.100.58.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq https
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq www
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq https
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq www
access-list 102 extended permit tcp any host 175.41.133.17 eq 3128
access-list 102 extended permit tcp any host 175.41.133.17 eq 8080
access-list 102 extended permit tcp any host 79.125.8.156 eq 3128
access-list 102 extended permit tcp any host 79.125.8.156 eq 8080
access-list 102 extended permit tcp any host 79.125.21.75 eq 3128
access-list 102 extended permit tcp any host 79.125.21.75 eq 8080
access-list 102 extended permit tcp any host 79.125.21.76 eq 3128
access-list 102 extended permit tcp any host 79.125.21.76 eq 8080
access-list 102 extended permit tcp any host 79.125.21.78 eq 3128
access-list 102 extended permit tcp any host 79.125.21.78 eq 8080
access-list 102 extended permit tcp any host 79.125.21.79 eq 3128
access-list 102 extended permit tcp any host 79.125.21.79 eq 8080
access-list 102 extended permit tcp any host 174.129.28.79 eq 3128
access-list 102 extended permit tcp any host 174.129.28.79 eq 8080
access-list 102 extended permit tcp any host 174.129.209.130 eq 3128
access-list 102 extended permit tcp any host 174.129.209.130 eq 8080
access-list 102 extended permit tcp any host 174.129.209.149 eq 3128
access-list 102 extended permit tcp any host 174.129.209.149 eq 8080
access-list 102 extended permit tcp any host 174.129.243.180 eq 3128
access-list 102 extended permit tcp any host 174.129.243.180 eq 8080

access-group 102 in interface inside

we havn't applied any deny rule......bcoz PIX ACL has an implicit "deny all" at the end of the ACL

so waiting for your suggestion......

You configured ACL will allow ALL inside hosts access to the IP address using the TCP port numbers.  You stated in the description of this question:-

"All inside host should have their browser to use the proxy server, and get to browse the internet after authentication"

And

"They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied"

Your access list does not do any of the above.

What are your actual requirements?

tuhinbhowmick Mon, 06/14/2010 - 07:11

All inside host should have their browser to use the proxy server, and get to browse the internet after authentication"

And

"They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied"......

Yes this is my exact requirement...........

so what i suppoed to do then......please suggest..........

What you need to do is:-

1) Allow the Proxy Server IP address access to the internet

2) Deny inside hosts access to the internet

lets say you proxy server IP address is 192.168.1.1

access-list acl-inside permit ip host 192.168.1.1 any

access-list acl-inside deny ip any any log

!

access-group acl-inside in interface inside

The above will allow Proxy server 192.168.1.1 UNLIMITED access to the internet

and DENY ALL OTHER IP addresses.

tuhinbhowmick Mon, 06/14/2010 - 07:35

thanks for your guidance Andrew.....

We have received the below requirement.

Configured your network to use the Managed Web Filtering Service, you should lock down

your firewall to prevent your users from bypassing the Web Filtering Service and connecting directly to the internet.

Open TCP ports: 80, 443, 3128,

8080 to the following range

[and 389 if you intend to use

LDAP lookups]

208.87.136.0 - 208.87.136.255 and 208.87.137.0 - 208.87.137.255

Open TCP ports:

3128 and 8080 to the following

IP’s and IP Ranges

194.116.198.0 - 194.116.198.255 , 203.100.58.0 - 203.100.58.255 , 174.129.243.180 , 79.125.21.75 , 79.125.8.156

So, please let us know whether our understanding is correct or not ? If yes... then we are going to apply the ACL you have just mentioned....

Ahh OK - now I understand I was under the impression the proxy server was on the LAN.  Now I understand the proxy server is WEB based

and on the internet.  OK - I would configure the below, it's cleaner for me at least.:-

object-group network WebProxyServers
network-object 194.116.198.0 255.255.255.0
network-object 203.100.58.0 255.255.255.0
network-object 208.87.136.0 255.255.255.0
network-object 208.87.137.0 255.255.255.0
network-object host 174.129.143.180

network-object host 79.125.21.75
network-object host 79.125.8.156

object-group service WebProxy tcp
port-object eq 80
port-object eq 389
port-object eq 443
port-object eq 3128
port-object eq 8080

access-list Web_Proxy extended permit tcp any object-group WebProxyServers object-group WebProxy

access-group Web_Proxy in interface inside

tuhinbhowmick Mon, 06/14/2010 - 08:09

it is good for me as well that atlast i am able to give you the exact scenarion infront of you......thanks for your support.

Actions

This Discussion