09-25-2005 09:52 AM - edited 02-21-2020 12:25 AM
I need to allow only one IP address (the one for proxy server) to browse through Pix firewall to Internet.
What will be the commands in PIX firewall to block the traffic to Internet from all the inside network 10.2.1.x but only allow 10.2.1.10 (Proxy server).
All other computers will use proxy server address to use Internet.
Please let me know the correct commands and 2ndly let me know if other computer can browse Internet if they are using this particular Proxy server address?
09-25-2005 10:07 AM
Could be something like this.
object-group service Proxy-TCP tcp
port-object eq 80
port-object eq 443
port-object eq 21
access-list proxy permit tcp host 10.2.1.10 any host object-group Proxy-TCP
access-list proxy deny tcp 10.2.1.0 255.255.255.0 any object-group Proxy-TCP
access-list proxy permit any any
access-group proxy in interface inside
This will block http, https and ftp for all inside host other than the Proxy server. Object group will be more flexible if you want to configure multiple TCP ports.
sincerely
Patrick
09-25-2005 10:18 AM
Dear Patrick,
Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.
What change do I have to make in this configuration?
I like the idea of object group here.
What if I have to use access-list without object group?
09-25-2005 10:24 AM
Follow this example and all inside traffic will be blocked.
object-group service Proxy-TCP tcp
port-object eq 80
port-object eq 443
port-object eq 21
access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP
access-list proxy deny ip any any
access-group proxy in interface inside
Like this only the Proxy server can access the internet with http, https and ftp all other traffic will be blocked.
sincerely
Patrick
09-25-2005 08:17 PM
Hi again Patrick,
What is the difference in your first configuration and 2nd one?
In the first one you have given "access-list proxy permit any any"
whereas
In the 2nd one you have given "access-list proxy deny ip any any"
Do I need to combine both of them? or just follow the 2nd one to accomplish my task?
09-25-2005 08:55 PM
the reason for pat to change "permit ip any any" to "deny ip any any" is due to your requirement as stated:
Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.
in fact, you don't even need to put the "deny ip any any" as all acl by default would have this statement at the end.
so all you need are:
object-group service Proxy-TCP tcp
port-object eq 80
port-object eq 443
port-object eq 21
access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP
plus a proper nat/global statement
09-25-2005 09:28 PM
Will Object group command be work on IOS 6.1(4)
Thanks
09-28-2005 06:22 AM
No, object groups are just available on the 6.2.x release but not for 6.1.x.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml
sincerely
Patrick
09-28-2005 03:03 AM
Hi again,
First purpose is solved.
I am able to permit only Proxy server to go to the Internet and all other traffic is blocked.
Now, next step is that I need to allow some traffic like port 110, 25, citrix etc.
How can I make a new object group to open some ports and what will be the access-list for this new object group?
09-28-2005 05:03 AM
Hi again,
If I am giving the below mentioned ACLs, my purpose is solved:
access-list myproxy permit tcp host 10.2.1.10 any eq www
access-list myproxy permit tcp host 10.2.1.10 any eq https
access-list myproxy permit tcp host 10.2.1.10 any eq ftp-data
access-list myproxy permit tcp host 10.2.1.10 any eq ftp
Now I need to open smpt and pop3 for my email server, is the given below configuration correct:
access-list myproxy permit tcp any any eq smtp
access-list myproxy permit tcp any any eq pop3
access-group myproxy in interface inside
I think it should be OK, but I am not getting communication from outlook to the mail server.
Please assist.
09-28-2005 06:16 AM
If you just want to open outgoing smtp and pop connections from any to any YES. From inside out outside (Internet)
If you want to allow smtp and pop connection from Internet to your Email server you need to create an access-list on the outside interface and a static for NAT for address translation.
example:
access-list outside permit tcp any host PublicIP-MailServer eq 25
access-list outside permit tcp any host PublicIP-MailServer eq 110
access-group outside in interface outside
Adress translation with a static public IP:
static (inside,outside) PublicIP-MailServer PrivateIP-MailServer netmask 255.255.255.255
Reset all connection - Address translation:
clear xlate
sincerely
Patrick
09-28-2005 07:23 AM
Dear Patrick,
I just need to allow outgoing smtp/pop3 (inside to outside) and only allow www traffic from proxy server i.e. 10.2.1.10.
Now, I have following configurations:
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp host 10.2.1.10 any eq www
access-group 100 in interface inside
Does it make any difference if I write the access lists in this way (below)
access-list 100 permit tcp host 10.2.1.10 any eq www
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-group 100 in interface inside
What I am noticing is that, most of the time Internet and smtp/pop traffic goes fine but sometime Internet does not work and emails do not go and come to us.
I am confused a bit.
First of all check the configuration and then tell me if any suggestion.
Regards,
Lasani
09-28-2005 08:19 AM
The access-list follows its order, line 1 then line 2 ..., it does not really matter. Both of your examples are OK.
Use the more important protocols access-list lines in the beginning.
Click on Rate this Post to help identify the most useful NetPro content.
sincerely
Patrick
09-28-2005 08:48 AM
Why sometime Internet stops and emails going out or coming in stop working?
Any idea?
09-28-2005 09:58 AM
Difficult to say like this !
Might be a config problem, performance issue, internet problems ?
1.) How many internal users have you and what is your user license. See in < show version>
2.) Troubleshooting guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
3.) Enable logging to syslog or buffer to see whats going on:
logging on
logging buffered debugging
logging trap debugging
logging host SyslogIP
Syslog software can be found in:
http://www.ncat.co.uk/Download/3cdv2r10.exe
http://www.ncat.co.uk/Download/
sincerely
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: