Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
3
Replies

Allowing internal users to Browse the internet

Go to solution
farhan
Level 1
Level 1

‎04-17-2003 04:29 AM - edited ‎03-09-2019 02:56 AM

Hello,

I have a PIX 515E with IOS 6.2. I am currently using ISA server as a proxy server to browse the internet. I would like to change this and let users go thru the PIX Firewall to browse the internet. This wud provide me with an extra IP address which I have on the ISA server.

Can you tell me what commands do I need.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7
In response to farhan

‎04-17-2003 08:28 AM

Hi,

Using ACL (Named in this case) you would do the following:

>access-list inside permit tcp host XXXX any eq www

>access-list inside deny tcp any any eq www

>access-list inside permit ip any any

..now configure the ACL to the inside interface with a access-group statement i.e.

>access-group inside in interface inside

(NOTE. ON THE FIRST ACL ABOVE XXXX IS YOUR ISA IP ADDRESS)

Also, after you have configured the ACL's make sure you do a wr m (write to memory)

Hope this helps -

View solution in original post

0 Helpful
3 Replies 3

Go to solution
konigl
Level 7
Level 7

‎04-17-2003 07:25 AM

Basically, on the client side you would have to clear the proxy setting in your users' web browsers, give their computers DNS server addresses for Internet-name-to-IP-address resolution. Also, you have to set their default gateways to point to either the PIX inside interface, if it sits on the same subnet as the users and there are no other internal subnets; or to a default gateway on their subnet which uses the PIX inside interface as its "gateway of last resort".

On the PIX, you would need to set up NAT/PAT, and either outbound (old) or access-list (new) commands to permit the users on the inside to go to the outside (Internet) per company policy.

For what its worth, you could set up the ISA server to act as a caching proxy server with only one NIC, or reconfigure it with two NICs to have its outside (or "north") NIC sitting on a VLAN that also contains the PIX Firewall's inside interface, effectively putting the ISA behind the PIX. Then you could use the ISA or go direct, depending on your application from the user's side. In either case, this would get you the extra IP address that's on the ISA server now.

Would need to know more about your network to supply any detailed assistance, though.

Hope this helps.

0 Helpful

Go to solution
farhan
Level 1
Level 1
In response to konigl

‎04-17-2003 07:46 AM

I have done most of the things.. can you kindly tell me the exact commands to configure the firewall so that it allows internal users to browse. I would like at present all traffic to be allowed from inside out only. nothing from outside in.

An example how I could stop unwanted internet traffic will be appreciated.

Regards

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to farhan

‎04-17-2003 08:28 AM

Hi,

Using ACL (Named in this case) you would do the following:

>access-list inside permit tcp host XXXX any eq www

>access-list inside deny tcp any any eq www

>access-list inside permit ip any any

..now configure the ACL to the inside interface with a access-group statement i.e.

>access-group inside in interface inside

(NOTE. ON THE FIRST ACL ABOVE XXXX IS YOUR ISA IP ADDRESS)

Also, after you have configured the ACL's make sure you do a wr m (write to memory)

Hope this helps -

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents