06-14-2010 03:25 AM - edited 03-11-2019 10:59 AM
how to configure the below mentioned ports for the mentioned IPs of webroot proxy on the PIX firewall, so that all inside host should have their browser to use the proxy server, and get to browse the internet after authentication. They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.
Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255 and
Open TCP ports: 3128 and 8080 to the following IP’s and IP Ranges 194.116.198.0 - 194.116.198.255 and 79.125.8.156.
Thanks in advance for your help.
06-14-2010 05:13 AM
Tuhin,
access-list acl-inside permit ip host <
access-list acl-inside deny ip any any log
access-group acl-inside in interface inside
The above allows ALL traffic from the Proxy Server ONLY to go to the internet. All other hosts will be dropped.
HTH>
06-14-2010 06:26 AM
hi Andrew,
Please find below the configuratin that we have made(all the IPs and ports as requested).....
access-list 102 extended permit tcp any 194.116.198.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 194.116.198.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 203.100.58.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 203.100.58.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq https
access-list 102 extended permit tcp any 208.87.136.0 255.255.255.0 eq www
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq https
access-list 102 extended permit tcp any 208.87.137.0 255.255.255.0 eq www
access-list 102 extended permit tcp any host 175.41.133.17 eq 3128
access-list 102 extended permit tcp any host 175.41.133.17 eq 8080
access-list 102 extended permit tcp any host 79.125.8.156 eq 3128
access-list 102 extended permit tcp any host 79.125.8.156 eq 8080
access-list 102 extended permit tcp any host 79.125.21.75 eq 3128
access-list 102 extended permit tcp any host 79.125.21.75 eq 8080
access-list 102 extended permit tcp any host 79.125.21.76 eq 3128
access-list 102 extended permit tcp any host 79.125.21.76 eq 8080
access-list 102 extended permit tcp any host 79.125.21.78 eq 3128
access-list 102 extended permit tcp any host 79.125.21.78 eq 8080
access-list 102 extended permit tcp any host 79.125.21.79 eq 3128
access-list 102 extended permit tcp any host 79.125.21.79 eq 8080
access-list 102 extended permit tcp any host 174.129.28.79 eq 3128
access-list 102 extended permit tcp any host 174.129.28.79 eq 8080
access-list 102 extended permit tcp any host 174.129.209.130 eq 3128
access-list 102 extended permit tcp any host 174.129.209.130 eq 8080
access-list 102 extended permit tcp any host 174.129.209.149 eq 3128
access-list 102 extended permit tcp any host 174.129.209.149 eq 8080
access-list 102 extended permit tcp any host 174.129.243.180 eq 3128
access-list 102 extended permit tcp any host 174.129.243.180 eq 8080
access-group 102 in interface inside
we havn't applied any deny rule......bcoz PIX ACL has an implicit "deny all" at the end of the ACL
so waiting for your suggestion......
06-14-2010 06:55 AM
You configured ACL will allow ALL inside hosts access to the IP address using the TCP port numbers. You stated in the description of this question:-
"All inside host should have their browser to use the proxy server, and get to browse the internet after authentication"
And
"They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied"
Your access list does not do any of the above.
What are your actual requirements?
06-14-2010 07:11 AM
All inside host should have their browser to use the proxy server, and get to browse the internet after authentication"
And
"They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied"......
Yes this is my exact requirement...........
so what i suppoed to do then......please suggest..........
06-14-2010 07:22 AM
What you need to do is:-
1) Allow the Proxy Server IP address access to the internet
2) Deny inside hosts access to the internet
lets say you proxy server IP address is 192.168.1.1
access-list acl-inside permit ip host 192.168.1.1 any
access-list acl-inside deny ip any any log
!
access-group acl-inside in interface inside
The above will allow Proxy server 192.168.1.1 UNLIMITED access to the internet
and DENY ALL OTHER IP addresses.
06-14-2010 07:35 AM
thanks for your guidance Andrew.....
We have received the below requirement.
Configured your network to use the Managed Web Filtering Service, you should lock down
your firewall to prevent your users from bypassing the Web Filtering Service and connecting directly to the internet.
Open TCP ports: 80, 443, 3128,
8080 to the following range
[and 389 if you intend to use
LDAP lookups]
208.87.136.0 - 208.87.136.255 and 208.87.137.0 - 208.87.137.255
Open TCP ports:
3128 and 8080 to the following
IP’s and IP Ranges
194.116.198.0 - 194.116.198.255 , 203.100.58.0 - 203.100.58.255 , 174.129.243.180 , 79.125.21.75 , 79.125.8.156
So, please let us know whether our understanding is correct or not ? If yes... then we are going to apply the ACL you have just mentioned....
06-14-2010 07:52 AM
Ahh OK - now I understand I was under the impression the proxy server was on the LAN. Now I understand the proxy server is WEB based
and on the internet. OK - I would configure the below, it's cleaner for me at least.:-
object-group network WebProxyServers
network-object 194.116.198.0 255.255.255.0
network-object 203.100.58.0 255.255.255.0
network-object 208.87.136.0 255.255.255.0
network-object 208.87.137.0 255.255.255.0
network-object host 174.129.143.180
network-object host 79.125.21.75
network-object host 79.125.8.156
object-group service WebProxy tcp
port-object eq 80
port-object eq 389
port-object eq 443
port-object eq 3128
port-object eq 8080
access-list Web_Proxy extended permit tcp any object-group WebProxyServers object-group WebProxy
access-group Web_Proxy in interface inside
06-14-2010 08:09 AM
it is good for me as well that atlast i am able to give you the exact scenarion infront of you......thanks for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide