Solved: Re: How to deny user use the ip address of PIX

winanjaya · ‎01-11-2007

Dear All,

I am very new with this, all of my users's PC gateway is assigned to IP 172.16.1.5 (Proxy server).. and the gateway of The Proxy Server is assigned to PIX 172.16.1.1.

If the users knew the IP address of PIX then they will set their gateway to PIX's IP Address then they able to go to the internet without proxy server, this is the part that I want to deny

could any body please help how to deal with this?

Many thanks in advance

Regards

Winanjaya

jmia · ‎01-11-2007

Hi

Apply the following ACL on the inside interface of your PIX in configuration mode:

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

access-group inside in interface inside

Save with: write mem and also issue: clear xlate

The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST

point their browser to the proxy server!!

Hope this helps and please rate posts!!

Jay

View solution in original post

vijayasankar · ‎01-11-2007

Hi,

You can handle this by, including an ACL in the firewall which allows outbound HTTP access only for the proxy server IP.

Then the users wouldn't be able to browse through the firewall, they have point to the proxy server to get internet access.

-VJ

winanjaya · ‎01-11-2007

Hi,

I am very new with this, could you pls give me an example?

TIA

Regards

Winanjaya

jmia · ‎01-11-2007

Hi

Apply the following ACL on the inside interface of your PIX in configuration mode:

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

access-group inside in interface inside

Save with: write mem and also issue: clear xlate

The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST

point their browser to the proxy server!!

Hope this helps and please rate posts!!

Jay

winanjaya · ‎01-12-2007

how about for ftp, https and any other internet services.. pls advise

Thanks & Regards

Winanjaya

m.sir · ‎01-12-2007

If you are using proxy also for FTP and HTTPS add those services to access-list

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside permit tcp host 172.16.1.5 any eq ftp

access-list inside permit tcp host 172.16.1.5 any eq 443

access-list inside deny tcp any any eq www

access-list inside deny tcp any any eq ftp

access-list inside deny tcp any any eq 443

access-list inside permit ip any any

access-group inside in interface inside

M.

winanjaya · ‎01-12-2007

Thanks a lot

Regards

Winanjaya

sarkarpritam · ‎01-12-2007

Hi,

I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.

C if this suggestion helps.