Solved: Re: Limit internet access to one proxy server.

darragh · ‎11-03-2006

We have a Cisco Router (1701) running IOS 12.4. I want to configure the router to only allow access to the internet and the various protocals via the proxy server (192.168.16.6). This is to help stop technically savy staff bypassing our proxy server for browsing and such.

tdrais · ‎11-03-2006

In the simple case where I assume your router only purpose is to get to the internet you can use a simple access list. This is just a sample of the more common ports.

access-list 110 permit tcp host 192.168.16.6 any

access-list 110 deny tcp any any eq www

access-list 110 deny tcp any any eq 443

access-list 110 deny tcp any any eq ftp-data

access-list 110 deny tcp any any eq ftp

access-list 110 deny tcp any any eq telnet

access-list 110 permit ip any any

You apply this inbound on the ethernet port.

Now if this router servers more function like you have remote sites behind it or there are other interfaces you will need to allow that traffic before you deny the traffic.

View solution in original post

tdrais · ‎11-03-2006

You can policy route the traffic to the proxy but the proxy must be setup correctly to be transparent so the routing works.

If your proxy supports it you can also use WCCP to allow the proxy to tell the router which traffic to send the proxy.

You will never stop the true savy staff they will eventually just build ssl (https) tunnels through you proxy and surf whatever they please anyway.

darragh · ‎11-03-2006

Your post has given me another avenue of thought but maybe mydescription threw you. Imagine that I have a LAN where everyone has their default gateway set to the router and they can browse the net freely. What I am hoping to do is only allow the IP of the Proxy server to get access via the router thus blocking direct routes from the client PC's.

tdrais · ‎11-03-2006