Prevent clients bypassing proxy

Unanswered Question
Jul 13th, 2010
User Badges:

Hi all,

I was wondering if someone could help me out with a issue I have.  At present our corporation has all internet traffic routed via our HQ, through a Cisco ASA 5510 arrangement.  I need to prevent client machines (subnet / range) going directly out onto the internet, I need them to go via a proxy server.  My thought was to put a deny ACL on the outbound internal interface.  This would be something like deny ip [ip address] [subnet] interface outside with a permit rule for the proxy address.

Does anyone have any suggestions, or ideas as to how I could do this?

Any help would be much appreciated.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Tue, 07/13/2010 - 07:35
User Badges:
  • Cisco Employee,


Access list on the inside interface is the easiest and best way to do it. In

addition, you can also control it via NAT. Here is a sample config:

Access-list inside_access_out permit tcp host any eq 443

Access-list inside_access_out deny tcp any any eq 80

Access-list inside_access_out deny tcp any any eq 443

Access-list inside_access_out permit ip any any

Access-group inside_access_out in interface inside

Global (outside) 1 interface

Nat (inside) 1

Make sure that except for the servers that need direct internet access, no

other host has a NAT rule on the firewall. In that way, even if the hosts

try to bypass the access-list rule, they will not be able to go out without

the NAT rule.

Hope this helps.



chriwall01 Tue, 07/13/2010 - 07:45
User Badges:

Hi NT,

Thanks for the quick reply.  I'll give it ago and let you know.

One afterthought though, would i need to specifically need to allow the internal IP's access to the DMZ??

Once again, thanks!


This Discussion