01-11-2007 08:50 PM - edited 03-11-2019 02:18 AM
Dear All,
I am very new with this, all of my users's PC gateway is assigned to IP 172.16.1.5 (Proxy server).. and the gateway of The Proxy Server is assigned to PIX 172.16.1.1.
If the users knew the IP address of PIX then they will set their gateway to PIX's IP Address then they able to go to the internet without proxy server, this is the part that I want to deny
could any body please help how to deal with this?
Many thanks in advance
Regards
Winanjaya
Solved! Go to Solution.
01-11-2007 11:50 PM
Hi
Apply the following ACL on the inside interface of your PIX in configuration mode:
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-group inside in interface inside
Save with: write mem and also issue: clear xlate
The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST
point their browser to the proxy server!!
Hope this helps and please rate posts!!
Jay
01-11-2007 11:34 PM
Hi,
You can handle this by, including an ACL in the firewall which allows outbound HTTP access only for the proxy server IP.
Then the users wouldn't be able to browse through the firewall, they have point to the proxy server to get internet access.
-VJ
01-11-2007 11:48 PM
Hi,
I am very new with this, could you pls give me an example?
TIA
Regards
Winanjaya
01-11-2007 11:50 PM
Hi
Apply the following ACL on the inside interface of your PIX in configuration mode:
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-group inside in interface inside
Save with: write mem and also issue: clear xlate
The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST
point their browser to the proxy server!!
Hope this helps and please rate posts!!
Jay
01-12-2007 12:12 AM
how about for ftp, https and any other internet services.. pls advise
Thanks & Regards
Winanjaya
01-12-2007 01:24 AM
If you are using proxy also for FTP and HTTPS add those services to access-list
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside permit tcp host 172.16.1.5 any eq ftp
access-list inside permit tcp host 172.16.1.5 any eq 443
access-list inside deny tcp any any eq www
access-list inside deny tcp any any eq ftp
access-list inside deny tcp any any eq 443
access-list inside permit ip any any
access-group inside in interface inside
M.
01-12-2007 01:35 AM
Thanks a lot
Regards
Winanjaya
01-12-2007 02:18 AM
Hi,
I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.
C if this suggestion helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide