Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Deny rule from DMZ to Inside not working?

Hi all,

We want to completely block access to our proxy server for clients that are connected to the VPN. Simply modifying the proxy settings may not be completely effective based on our testing.

Currently our setup is as follows -

Users VPN into DMZ. DMZ has 2 implicit rules. Rule 1 - allow all ip to any less secure network. Rule 2 Deny any/any

I've attempted to add Deny rules to our proxy servers on this list but it doesn't seem to be effective. Adding deny rules to the VPN split tunnel rule doesn't seem to work either. Can anyone give me some tips on what I might be doing wrong?

3 REPLIES

Re: Deny rule from DMZ to Inside not working?

I would think about writing an ACL that blocks the source of the remote VPN clients "outbound" - going out onto the DMZ LAN towards the proxy servers.

HTH>

New Member

Re: Deny rule from DMZ to Inside not working?

If I'm not mistaken, wouldn't the traffic never hit the outbound interface?

DMZ -> Inside -> Proxy server

Proxy Server -> Inside -> DMZ

Or am I mistaken?

Re: Deny rule from DMZ to Inside not working?

Sorry you are correct - I was thinking it was actually working a different way!

I would then try adding to the DMZ ACL - to deny the source IP addresses assigned to the remote clients to the destination of the proxy servers, and take it a step further and block on both TCP and UDP ports, something like:-

access-list Block-DMZ line 1 deny tcp w.w.w.w x.x.x.x y.y.y.y z.z.z.z

w.w.w.w = Remote VPN Client IP address

x.x.x.x = Subnet mask

y.y.y.y = Proxy server IP range

z.z.z.z = Subnet mask

HTH>

139
Views
0
Helpful
3
Replies
CreatePlease to create content