04-25-2005 09:05 PM - edited 02-21-2020 12:06 AM
Senario:
Note: Squid proxy at DMZ of PIX (single legged).
Inside LAN: 192.168.22.0 /24
DMZ : 172.16.10.0 /24
How to go ahead to configure PIX acl to forward all http, https, ftp traffic iniated from inside LAN to Internet?
eg.
access-list dmz_in permit tcp host proxy any eq www
access-list dmz_in permit tcp host proxy any eq https
access-list dmz_in permit tcp host proxy any range 20 21
access-list dmz_in permit tcp host proxy eq www 192.168.22.0 255.255.255.0
access-list dmz_in permit tcp host proxy eq https 192.168.22.0 255.255.255.0
access-list dmz_in permit tcp host proxy range 20 21 192.168.22.0 255.255.255.0
access-list inside_in permit tcp 192.168.22.0 255.255.255.0 host proxy eq 8080
Can this config works?
Any expert to help out there?
04-26-2005 06:28 AM
anyone? help pls?
04-26-2005 04:09 PM
Look good but you need also DNS !
access-list dmz_in permit udp host proxy any eq 53
access-list dmz_in permit tcp host proxy any eq www
access-list dmz_in permit tcp host proxy any eq https
access-list dmz_in permit tcp host proxy any range 20 21
access-list inside_in deny tcp any any eq www
access-list inside_in deny tcp any any eq https
access-list inside_in deny tcp any any range 20 21
access-list inside_in permit tcp 192.168.22.0 255.255.255.0 host proxy eq 8080
access-list inside_in permit ip any any
This should work ! Reconfigure the Internet Browsers to use the proxy server on port 8080.
Remove this line if the DMZ does not really does establish connections to the inside network.
access-list dmz_in permit tcp host proxy eq www 192.168.22.0 255.255.255.0
access-list dmz_in permit tcp host proxy eq https 192.168.22.0 255.255.255.0
access-list dmz_in permit tcp host proxy range 20 21 192.168.22.0 255.255.255.0
sincerely
Patrick
04-26-2005 05:33 PM
Thank you so much. Will try and let you know.
Thanks once again.
04-27-2005 06:52 AM
How did it work ?
sincerely
Patrick
04-28-2005 05:50 PM
No really. i shd allow LAN (tcp) -> proxy using port 8080 first then applied all deny to http,https,ftp. etc.
Now the problem is the window authentication (win2k3 active directory) at inside LAN whereas proxy is at DMZ.
what ports shd i allow between both to get the proxy auth. works with my win2k3 active directory?
is it only tcp 445 and 88 + udp 88 only ?
anyone can advise?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide