11-03-2006 05:35 AM - edited 03-03-2019 02:34 PM
We have a Cisco Router (1701) running IOS 12.4. I want to configure the router to only allow access to the internet and the various protocals via the proxy server (192.168.16.6). This is to help stop technically savy staff bypassing our proxy server for browsing and such.
Solved! Go to Solution.
11-03-2006 06:37 AM
In the simple case where I assume your router only purpose is to get to the internet you can use a simple access list. This is just a sample of the more common ports.
access-list 110 permit tcp host 192.168.16.6 any
access-list 110 deny tcp any any eq www
access-list 110 deny tcp any any eq 443
access-list 110 deny tcp any any eq ftp-data
access-list 110 deny tcp any any eq ftp
access-list 110 deny tcp any any eq telnet
access-list 110 permit ip any any
You apply this inbound on the ethernet port.
Now if this router servers more function like you have remote sites behind it or there are other interfaces you will need to allow that traffic before you deny the traffic.
11-03-2006 05:44 AM
You can policy route the traffic to the proxy but the proxy must be setup correctly to be transparent so the routing works.
If your proxy supports it you can also use WCCP to allow the proxy to tell the router which traffic to send the proxy.
You will never stop the true savy staff they will eventually just build ssl (https) tunnels through you proxy and surf whatever they please anyway.
11-03-2006 06:01 AM
Your post has given me another avenue of thought but maybe mydescription threw you. Imagine that I have a LAN where everyone has their default gateway set to the router and they can browse the net freely. What I am hoping to do is only allow the IP of the Proxy server to get access via the router thus blocking direct routes from the client PC's.
11-03-2006 06:37 AM
In the simple case where I assume your router only purpose is to get to the internet you can use a simple access list. This is just a sample of the more common ports.
access-list 110 permit tcp host 192.168.16.6 any
access-list 110 deny tcp any any eq www
access-list 110 deny tcp any any eq 443
access-list 110 deny tcp any any eq ftp-data
access-list 110 deny tcp any any eq ftp
access-list 110 deny tcp any any eq telnet
access-list 110 permit ip any any
You apply this inbound on the ethernet port.
Now if this router servers more function like you have remote sites behind it or there are other interfaces you will need to allow that traffic before you deny the traffic.
11-03-2006 06:40 AM
That is exactly what I wanted. It is already in place and working. Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide