ASA Conf:-

Inside :- 192.168.12.1

Outside :- *.*.43.210

Default Gateway set on all Client machines :- 192.168.12.1

Proxy Server :- 192.168.12.20

Please suggest..

??

then

how u route clients traffic to the porxy?

it looks like the traffic going only to the asa

?

I have denied all inside (inbound) traffic except Proxy machine traffic. Users send their request directly to proxy for using Internet but I want all e-mail, IM, Yahoo Messanger traffic to be allow by inside interface thats why i set up this IP 192.168.12.1 for gateway in client machines. Not able to understand how to do this??

ok

there is two way to configure firewall with proxy

first

make the users default gateway proxy ip address

then the proxy should have cashing and filtring rules to filter ur traffic after that the proxy shout be made to forward the traffic to the ASA in this case the default gateway of the proxy is th einside interface of the ASA

withing the above methed u can make the defaul gateway the ASA for clients that u dont want them to go through the proxy

bypass it

second methond ( it hink better)

is to make another interface

on the ASA DMZ interface

and put the proxy server there

make a route on the ASA to route the traffic to the proxy on the dmz

and in this case the users default gateway will be the ASA inside ip

then the ASA will forward the traffic back to the ASA after filter it

and u can control who to be sent to the firewall or not

inur case i meanwhat u have configured

u can mkae ACL that pemirt users IPs going to certainports

but with IM hard becuase they use deffrent ports even 80 tunneled in http

i sent u link before relate to block IM use and make the ACL match users u wants and make it permit for them

through policy map and inspection should be better, becuase u gonna fillter on application layer

good luck

rate if helpful

Hi, thanks for your prompt response.

I can use the first method and set the client machines DG of proxy server then users e-mail traffic wud go in this way. Client----Proxy----Inside ASA----Outside.If I use this then e-mails downloading get works so slow thats why I want to set the proxy settings in the IE so that when users open any site then the request to be forward proxy server and e-mail, IM, Yahoo Messanger Traffic to be forward directly inside interface and by making access list the inside interface cud allow these three app traffic except all other traffic.

ok allow smtp and pop3 from those client

and about IM

i told u read the link i sen u u can achive it through

policy-map type inspect im im_pmap_name

Firewall(config-pmap)# match [not] ip-address

ip_address subnet_mask

Firewall(config-pmap-c)# {drop-connection | reset}

Match: Client IP address

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] login-name regex

{regex | class regex_cmap_name}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: Client's IM login

name

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] protocol

[msn-im] [yahoo-im]

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM protocol

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] service {chat |

conference | file-transfer | games | voice-chat |

webcam}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM service

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] version regex

{regex | class regex_cmap_name}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM file transfer

service version

Action: Drop or reset the

connection

good luck

please, Rate if helpful