Currently the PCs are manually configured to the proxy. They users are able to by pass the proxy if they know the gateway and dns of the ISP.
In order to stop this, I would like to do the following:
1. Any of the PCs in the INSIDE have the IP address range from 172.24.65.xxx - 172.24.66.xxx to have any direct access to Internet, except for a few servers fixed IP, lets say, 172.24.66.10, 172.24.66.11 where dot 10 is mail server and dot 11 is proxy server.
All PCs should be allowed to access only via proxy server.
2. All INSIDE PCs are allowed to access to DMZ servers.
Re: Blocking direct access to Internet via IP ranges
We had a similar configuration need here in that we needed to block all ip addresses, except those that have been registered and authorized. We get billed for all traffic, per ip address, on a monthly basis for off network traffic. We had users that would assign random ip addresses causing the usage billing to be skewed and not knowing where to redirect the bills to.
The simplest arrangement for us was to create a network object group containing ip addresses that are not authorized. We then added an ACE to the ACL for that network to deny all traffic for that object-group. We could have done the reverse and used the group for authorized addresses only, but this is the way we did it. Our ACE is placed at the very beginning of the ACL.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :