10-19-2006 07:34 PM - edited 03-09-2019 04:36 PM
Hi,
I would like do as per above-mentioned.
My network diagram as follow.
--DMZ--10.0.x.x
internet---PIX515--|
INSIDE
|
(PCs IP Ranges 172.24.66.xxx -
172.24.66.xxx
internal servers,
proxy=172.24.66.11
mail=172.24.66.10)
Currently the PCs are manually configured to the proxy. They users are able to by pass the proxy if they know the gateway and dns of the ISP.
In order to stop this, I would like to do the following:
1. Any of the PCs in the INSIDE have the IP address range from 172.24.65.xxx - 172.24.66.xxx to have any direct access to Internet, except for a few servers fixed IP, lets say, 172.24.66.10, 172.24.66.11 where dot 10 is mail server and dot 11 is proxy server.
All PCs should be allowed to access only via proxy server.
2. All INSIDE PCs are allowed to access to DMZ servers.
Thank you.
10-19-2006 07:36 PM
This is my current configuration.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password ******* encrypted
passwd ******* encrypted
hostname ciscopix
domain-name testing.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.3 webserver
name 172.24.66.11 nmscsrv02
access-list acl_outside permit tcp any host 210.x.x.202 eq www
access-list acl_outside permit tcp any host 210.x.x.202 eq smtp
access-list acl_outside permit tcp 60.52.0.0 255.255.0.0 host 210.x.136.202 eq ssh
access-list acl_outside permit tcp host 220.255.66.217 host 210.x.136.202 eq 7763
access-list acl_dmz permit tcp host webserver host 172.x.66.10 eq imap4
access-list acl_dmz permit ip any any
access-list no_nat permit ip 172.24.66.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging timestamp
logging standby
logging console debugging
logging monitor debugging
logging trap warnings
logging facility 21
logging host inside webserver
no logging message 111005
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 210.90.136.202 255.255.255.252
ip address inside 172.24.66.224 255.255.252.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 172.24.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 172.24.0.0 255.255.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp 210.90.136.202 www webserver www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 210.90.136.202 smtp webserver smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.90.136.202 7763 172.24.66.19 ssh netmask 255.255.255.255 0 0
static (dmz,outside) tcp 210.90.136.202 ssh webserver ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.90.136.202 5900 nmscsrv02 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.90.136.202 5905 172.24.66.21 5905 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.90.136.202 5906 172.24.66.100 5906 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 210.90.136.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.24.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.24.0.0 255.255.0.0 inside
telnet 172.24.0.0 255.255.0.0 dmz
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
10-20-2006 08:01 AM
Something like this should get you started. I added comments to describe each line. You can easily allow more hosts to talk to the Internet by copying the line for .10 or .11:
! Allow traffic from Inside to DMZ
access-list acl_inside permit ip 172.24.66.0 255.255.255.0 10.0.0.0 255.255.255.0
! Allow traffic from .10 to Internet
access-list acl_inside permit ip host 172.24.66.10 any
! Allow traffic from .11 to Internet
access-list acl_inside permit ip host 172.24.66.11 any
! All other traffic is denied automatically
! apply access-list to traffic on inside interface
access-group acl_inside in interface inside
-Eric
Please remember to rate all helpful posts.
11-01-2006 10:32 PM
Tq Eric. I hv rated.
10-24-2006 05:08 AM
We had a similar configuration need here in that we needed to block all ip addresses, except those that have been registered and authorized. We get billed for all traffic, per ip address, on a monthly basis for off network traffic. We had users that would assign random ip addresses causing the usage billing to be skewed and not knowing where to redirect the bills to.
The simplest arrangement for us was to create a network object group containing ip addresses that are not authorized. We then added an ACE to the ACL for that network to deny all traffic for that object-group. We could have done the reverse and used the group for authorized addresses only, but this is the way we did it. Our ACE is placed at the very beginning of the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide