cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1348
Views
4
Helpful
24
Replies

Pix Firewall with Proxy Server

lasani
Level 1
Level 1

I need to allow only one IP address (the one for proxy server) to browse through Pix firewall to Internet.

What will be the commands in PIX firewall to block the traffic to Internet from all the inside network 10.2.1.x but only allow 10.2.1.10 (Proxy server).

All other computers will use proxy server address to use Internet.

Please let me know the correct commands and 2ndly let me know if other computer can browse Internet if they are using this particular Proxy server address?

24 Replies 24

Patrick Iseli
Level 7
Level 7

Could be something like this.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any host object-group Proxy-TCP

access-list proxy deny tcp 10.2.1.0 255.255.255.0 any object-group Proxy-TCP

access-list proxy permit any any

access-group proxy in interface inside

This will block http, https and ftp for all inside host other than the Proxy server. Object group will be more flexible if you want to configure multiple TCP ports.

sincerely

Patrick

Dear Patrick,

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

What change do I have to make in this configuration?

I like the idea of object group here.

What if I have to use access-list without object group?

Follow this example and all inside traffic will be blocked.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

access-list proxy deny ip any any

access-group proxy in interface inside

Like this only the Proxy server can access the internet with http, https and ftp all other traffic will be blocked.

sincerely

Patrick

Hi again Patrick,

What is the difference in your first configuration and 2nd one?

In the first one you have given "access-list proxy permit any any"

whereas

In the 2nd one you have given "access-list proxy deny ip any any"

Do I need to combine both of them? or just follow the 2nd one to accomplish my task?

the reason for pat to change "permit ip any any" to "deny ip any any" is due to your requirement as stated:

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

in fact, you don't even need to put the "deny ip any any" as all acl by default would have this statement at the end.

so all you need are:

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

plus a proper nat/global statement

Will Object group command be work on IOS 6.1(4)

Thanks

No, object groups are just available on the 6.2.x release but not for 6.1.x.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml

sincerely

Patrick

Hi again,

First purpose is solved.

I am able to permit only Proxy server to go to the Internet and all other traffic is blocked.

Now, next step is that I need to allow some traffic like port 110, 25, citrix etc.

How can I make a new object group to open some ports and what will be the access-list for this new object group?

Hi again,

If I am giving the below mentioned ACLs, my purpose is solved:

access-list myproxy permit tcp host 10.2.1.10 any eq www

access-list myproxy permit tcp host 10.2.1.10 any eq https

access-list myproxy permit tcp host 10.2.1.10 any eq ftp-data

access-list myproxy permit tcp host 10.2.1.10 any eq ftp

Now I need to open smpt and pop3 for my email server, is the given below configuration correct:

access-list myproxy permit tcp any any eq smtp

access-list myproxy permit tcp any any eq pop3

access-group myproxy in interface inside

I think it should be OK, but I am not getting communication from outlook to the mail server.

Please assist.

If you just want to open outgoing smtp and pop connections from any to any YES. From inside out outside (Internet)

If you want to allow smtp and pop connection from Internet to your Email server you need to create an access-list on the outside interface and a static for NAT for address translation.

example:

access-list outside permit tcp any host PublicIP-MailServer eq 25

access-list outside permit tcp any host PublicIP-MailServer eq 110

access-group outside in interface outside

Adress translation with a static public IP:

static (inside,outside) PublicIP-MailServer PrivateIP-MailServer netmask 255.255.255.255

Reset all connection - Address translation:

clear xlate

sincerely

Patrick

Dear Patrick,

I just need to allow outgoing smtp/pop3 (inside to outside) and only allow www traffic from proxy server i.e. 10.2.1.10.

Now, I have following configurations:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-group 100 in interface inside

Does it make any difference if I write the access lists in this way (below)

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-group 100 in interface inside

What I am noticing is that, most of the time Internet and smtp/pop traffic goes fine but sometime Internet does not work and emails do not go and come to us.

I am confused a bit.

First of all check the configuration and then tell me if any suggestion.

Regards,

Lasani

The access-list follows its order, line 1 then line 2 ..., it does not really matter. Both of your examples are OK.

Use the more important protocols access-list lines in the beginning.

Click on Rate this Post to help identify the most useful NetPro content.

sincerely

Patrick

Why sometime Internet stops and emails going out or coming in stop working?

Any idea?

Difficult to say like this !

Might be a config problem, performance issue, internet problems ?

1.) How many internal users have you and what is your user license. See in < show version>

2.) Troubleshooting guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

3.) Enable logging to syslog or buffer to see whats going on:

logging on

logging buffered debugging

logging trap debugging

logging host SyslogIP

Syslog software can be found in:

http://www.ncat.co.uk/Download/3cdv2r10.exe

http://www.ncat.co.uk/Download/

sincerely

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: