08-14-2010 04:15 AM - edited 03-04-2019 09:25 AM
Dear i have some doubts
I have two isp and connected to core switch and in core switch i connected bluecoat for proxy. And I have 8 vlans.
The issue is that i need to block internet without proxy, if any one want to access internet it should goes through bluecoat.
things i have ==== vlan 2 in bluecoat.
vlan 1 are management vlan
Other vlans are users and servers guest.
and i have BVI interface in router and i am using two bvi interface.
i was done route map like this
ip access-list extended NO_PROXY
permit tcp any any eq www
permit tcp any any eq 443
# route-map LOCAL_ACCESS permit 10
match ip address NO_PROXY
set ip next hop "Bluecoat IP" 192.168.1.10
# assign on interface local:::::::::::
Interface BVI1
ip policy route-map LOCAL_ACCESS
can you help to block internet traffic with proxy, it has to go through proxy only.
regards,
Solved! Go to Solution.
08-14-2010 11:19 AM
Hello mr ....,
if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you can simply use extended ACLs applied inbound on each L3 interface facing clients
access-list 111 permit tcp any host proxy-ip eq 80
access-list 111 deny tcp any any eq 80
access-list 111 permit tcp any host proxy-ip eq 443
access-list 111 deny tcp any any eq 443
access-list 111 permit ip any any
int Vlan X
ip access-group 111 in
do it on all client facing L3 interfaces
Hope to help
Giuseppe
08-14-2010 06:34 AM
Hello,
you need to apply the PBR rule on each client Vlan (and server vlan if desired/needed) as PBR works only on traffic received by the device
by doing so instead of blocking attempts to go directly to the internet you are redirecting traffic to the proxy.
Also users might be configured to use a DNS server that replies to each DNS request for internet servers with proxy IP address.
a different tool you can use is WCCP but it would need to be configured also on the web cache /proxy
Hope to help
Giuseppe
08-14-2010 07:51 AM
no i am not using wccp. i am using explicit proxy. so how i can do it.
08-14-2010 11:19 AM
Hello mr ....,
if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you can simply use extended ACLs applied inbound on each L3 interface facing clients
access-list 111 permit tcp any host proxy-ip eq 80
access-list 111 deny tcp any any eq 80
access-list 111 permit tcp any host proxy-ip eq 443
access-list 111 deny tcp any any eq 443
access-list 111 permit ip any any
int Vlan X
ip access-group 111 in
do it on all client facing L3 interfaces
Hope to help
Giuseppe
08-14-2010 12:43 PM
Dear Friend,
i will try this and update you thanks a lot .
08-16-2010 07:32 AM
Hi thanks a lot its working but before i was send proxy through bluecoat "proxy.pac" file. But this file is not working when i was using extended access list.
is thier any way just to open this complete bluecoat IP.
08-16-2010 01:41 PM
Hello Mrsystemengineer,
>> send proxy through bluecoat "proxy.pac" file
interesting side effect
>> s thier any way just to open this complete bluecoat IP.
this is possible with an ACL line like
access-list 111 permit ip any host
you should verify what exactly is exchanged between a client and the bluecoat to send the proxy.pac file, opening all the IP can be a solution but it can be too much from a security point of view
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: