Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Prevent clients bypassing proxy

Hi all,

I was wondering if someone could help me out with a issue I have.  At present our corporation has all internet traffic routed via our HQ, through a Cisco ASA 5510 arrangement.  I need to prevent client machines (subnet / range) going directly out onto the internet, I need them to go via a proxy server.  My thought was to put a deny ACL on the outbound internal interface.  This would be something like deny ip [ip address] [subnet] interface outside with a permit rule for the proxy address.

Does anyone have any suggestions, or ideas as to how I could do this?

Any help would be much appreciated.

Thanks in advance.

Everyone's tags (2)
Cisco Employee

Re: Prevent clients bypassing proxy


Access list on the inside interface is the easiest and best way to do it. In

addition, you can also control it via NAT. Here is a sample config:

Access-list inside_access_out permit tcp host any eq 443

Access-list inside_access_out deny tcp any any eq 80

Access-list inside_access_out deny tcp any any eq 443

Access-list inside_access_out permit ip any any

Access-group inside_access_out in interface inside

Global (outside) 1 interface

Nat (inside) 1

Make sure that except for the servers that need direct internet access, no

other host has a NAT rule on the firewall. In that way, even if the hosts

try to bypass the access-list rule, they will not be able to go out without

the NAT rule.

Hope this helps.



New Member

Re: Prevent clients bypassing proxy

Hi NT,

Thanks for the quick reply.  I'll give it ago and let you know.

One afterthought though, would i need to specifically need to allow the internal IP's access to the DMZ??

Once again, thanks!