Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing internal users to Browse the internet

Hello,

I have a PIX 515E with IOS 6.2. I am currently using ISA server as a proxy server to browse the internet. I would like to change this and let users go thru the PIX Firewall to browse the internet. This wud provide me with an extra IP address which I have on the ISA server.

Can you tell me what commands do I need.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Allowing internal users to Browse the internet

Hi,

Using ACL (Named in this case) you would do the following:

>access-list inside permit tcp host XXXX any eq www

>access-list inside deny tcp any any eq www

>access-list inside permit ip any any

..now configure the ACL to the inside interface with a access-group statement i.e.

>access-group inside in interface inside

(NOTE. ON THE FIRST ACL ABOVE XXXX IS YOUR ISA IP ADDRESS)

Also, after you have configured the ACL's make sure you do a wr m (write to memory)

Hope this helps -

3 REPLIES
Gold

Re: Allowing internal users to Browse the internet

Basically, on the client side you would have to clear the proxy setting in your users' web browsers, give their computers DNS server addresses for Internet-name-to-IP-address resolution. Also, you have to set their default gateways to point to either the PIX inside interface, if it sits on the same subnet as the users and there are no other internal subnets; or to a default gateway on their subnet which uses the PIX inside interface as its "gateway of last resort".

On the PIX, you would need to set up NAT/PAT, and either outbound (old) or access-list (new) commands to permit the users on the inside to go to the outside (Internet) per company policy.

For what its worth, you could set up the ISA server to act as a caching proxy server with only one NIC, or reconfigure it with two NICs to have its outside (or "north") NIC sitting on a VLAN that also contains the PIX Firewall's inside interface, effectively putting the ISA behind the PIX. Then you could use the ISA or go direct, depending on your application from the user's side. In either case, this would get you the extra IP address that's on the ISA server now.

Would need to know more about your network to supply any detailed assistance, though.

Hope this helps.

New Member

Re: Allowing internal users to Browse the internet

I have done most of the things.. can you kindly tell me the exact commands to configure the firewall so that it allows internal users to browse. I would like at present all traffic to be allowed from inside out only. nothing from outside in.

An example how I could stop unwanted internet traffic will be appreciated.

Regards

Gold

Re: Allowing internal users to Browse the internet

Hi,

Using ACL (Named in this case) you would do the following:

>access-list inside permit tcp host XXXX any eq www

>access-list inside deny tcp any any eq www

>access-list inside permit ip any any

..now configure the ACL to the inside interface with a access-group statement i.e.

>access-group inside in interface inside

(NOTE. ON THE FIRST ACL ABOVE XXXX IS YOUR ISA IP ADDRESS)

Also, after you have configured the ACL's make sure you do a wr m (write to memory)

Hope this helps -

85
Views
0
Helpful
3
Replies
CreatePlease login to create content