https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615621#M1029123 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.</P><P>C if this suggestion helps.</P></BODY></HTML> Fri, 12 Jan 2007 10:18:44 GMT sarkarpritam 2007-01-12T10:18:44Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615614#M1029097 <P>Dear All,</P><P></P><P>I am very new with this, all of my users's PC gateway is assigned to IP 172.16.1.5 (Proxy server).. and the gateway of The Proxy Server is assigned to PIX 172.16.1.1.</P><P></P><P>If the users knew the IP address of PIX then they will set their gateway to PIX's IP Address then they able to go to the internet without proxy server, this is the part that I want to deny </P><P></P><P>could any body please help how to deal with this?</P><P></P><P>Many thanks in advance</P><P></P><P>Regards</P><P>Winanjaya</P> Mon, 11 Mar 2019 09:18:27 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615614#M1029097 winanjaya 2019-03-11T09:18:27Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615615#M1029102 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can handle this by, including an ACL in the firewall which allows outbound HTTP access only for the proxy server IP.</P><P></P><P>Then the users wouldn't be able to browse through the firewall, they have point to the proxy server to get internet access.</P><P></P><P>-VJ</P><P></P><P></P><P></P></BODY></HTML> Fri, 12 Jan 2007 07:34:46 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615615#M1029102 vijayasankar 2007-01-12T07:34:46Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615616#M1029107 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am very new with this, could you pls give me an example?</P><P></P><P>TIA </P><P></P><P>Regards</P><P>Winanjaya</P></BODY></HTML> Fri, 12 Jan 2007 07:48:33 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615616#M1029107 winanjaya 2007-01-12T07:48:33Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615617#M1029111 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Apply the following ACL on the inside interface of your PIX in configuration mode:</P><P></P><P>access-list inside permit tcp host 172.16.1.5 any eq www</P><P>access-list inside deny tcp any any eq www</P><P>access-list inside permit ip any any</P><P>access-group inside in interface inside</P><P></P><P>Save with: write mem and also issue: clear xlate</P><P></P><P>The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST</P><P>point their browser to the proxy server!!</P><P></P><P>Hope this helps and please rate posts!!</P><P></P><P>Jay</P></BODY></HTML> Fri, 12 Jan 2007 07:50:27 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615617#M1029111 jmia 2007-01-12T07:50:27Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615618#M1029114 <HTML><HEAD></HEAD><BODY><P>how about for ftp, https and any other internet services.. pls advise</P><P></P><P>Thanks &amp; Regards</P><P>Winanjaya</P></BODY></HTML> Fri, 12 Jan 2007 08:12:42 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615618#M1029114 winanjaya 2007-01-12T08:12:42Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615619#M1029117 <HTML><HEAD></HEAD><BODY><P>If you are using proxy also for FTP and HTTPS add those services to access-list</P><P>access-list inside permit tcp host 172.16.1.5 any eq www</P><P>access-list inside permit tcp host 172.16.1.5 any eq ftp</P><P>access-list inside permit tcp host 172.16.1.5 any eq 443</P><P>access-list inside deny tcp any any eq www</P><P>access-list inside deny tcp any any eq ftp</P><P>access-list inside deny tcp any any eq 443</P><P>access-list inside permit ip any any</P><P>access-group inside in interface inside</P><P>M.</P><P></P></BODY></HTML> Fri, 12 Jan 2007 09:24:38 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615619#M1029117 m.sir 2007-01-12T09:24:38Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615620#M1029121 <HTML><HEAD></HEAD><BODY><P>Thanks a lot </P><P></P><P>Regards</P><P>Winanjaya</P></BODY></HTML> Fri, 12 Jan 2007 09:35:44 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615620#M1029121 winanjaya 2007-01-12T09:35:44Z https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615621#M1029123 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.</P><P>C if this suggestion helps.</P></BODY></HTML> Fri, 12 Jan 2007 10:18:44 GMT https://community.cisco.com/t5/network-security/how-to-deny-user-use-the-ip-address-of-pix/m-p/615621#M1029123 sarkarpritam 2007-01-12T10:18:44Z