Prevent clients bypassing proxy

Unanswered Question
Jul 13th, 2010
User Badges:

Hi all,


I was wondering if someone could help me out with a issue I have.  At present our corporation has all internet traffic routed via our HQ, through a Cisco ASA 5510 arrangement.  I need to prevent client machines (subnet / range) going directly out onto the internet, I need them to go via a proxy server.  My thought was to put a deny ACL on the outbound internal interface.  This would be something like deny ip [ip address] [subnet] interface outside with a permit rule for the proxy address.


Does anyone have any suggestions, or ideas as to how I could do this?


Any help would be much appreciated.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 07/13/2010 - 07:35
User Badges:
  • Cisco Employee,

Hello,


Access list on the inside interface is the easiest and best way to do it. In

addition, you can also control it via NAT. Here is a sample config:


Access-list inside_access_out permit tcp host any eq 443

Access-list inside_access_out deny tcp any any eq 80

Access-list inside_access_out deny tcp any any eq 443

Access-list inside_access_out permit ip any any


Access-group inside_access_out in interface inside


Global (outside) 1 interface

Nat (inside) 1


Make sure that except for the servers that need direct internet access, no

other host has a NAT rule on the firewall. In that way, even if the hosts

try to bypass the access-list rule, they will not be able to go out without

the NAT rule.


Hope this helps.


Regards,


NT

chriwall01 Tue, 07/13/2010 - 07:45
User Badges:

Hi NT,


Thanks for the quick reply.  I'll give it ago and let you know.


One afterthought though, would i need to specifically need to allow the internal IP's access to the DMZ??


Once again, thanks!

Actions

This Discussion