Advise needed for PIX+Squid Proxy configuration

wanghmk1223 · ‎04-25-2005

Senario:

Note: Squid proxy at DMZ of PIX (single legged).

Inside LAN: 192.168.22.0 /24

DMZ : 172.16.10.0 /24

How to go ahead to configure PIX acl to forward all http, https, ftp traffic iniated from inside LAN to Internet?

eg.

access-list dmz_in permit tcp host proxy any eq www

access-list dmz_in permit tcp host proxy any eq https

access-list dmz_in permit tcp host proxy any range 20 21

access-list dmz_in permit tcp host proxy eq www 192.168.22.0 255.255.255.0

access-list dmz_in permit tcp host proxy eq https 192.168.22.0 255.255.255.0

access-list dmz_in permit tcp host proxy range 20 21 192.168.22.0 255.255.255.0

access-list inside_in permit tcp 192.168.22.0 255.255.255.0 host proxy eq 8080

Can this config works?

Any expert to help out there?

wanghmk1223 · ‎04-26-2005

anyone? help pls?

Patrick Iseli · ‎04-26-2005

Look good but you need also DNS !

access-list dmz_in permit udp host proxy any eq 53

access-list dmz_in permit tcp host proxy any eq www

access-list dmz_in permit tcp host proxy any eq https

access-list dmz_in permit tcp host proxy any range 20 21

access-list inside_in deny tcp any any eq www

access-list inside_in deny tcp any any eq https

access-list inside_in deny tcp any any range 20 21

access-list inside_in permit tcp 192.168.22.0 255.255.255.0 host proxy eq 8080

access-list inside_in permit ip any any

This should work ! Reconfigure the Internet Browsers to use the proxy server on port 8080.

Remove this line if the DMZ does not really does establish connections to the inside network.

access-list dmz_in permit tcp host proxy eq www 192.168.22.0 255.255.255.0

access-list dmz_in permit tcp host proxy eq https 192.168.22.0 255.255.255.0

access-list dmz_in permit tcp host proxy range 20 21 192.168.22.0 255.255.255.0

sincerely

Patrick

wanghmk1223 · ‎04-26-2005

Thank you so much. Will try and let you know.

Thanks once again.

Patrick Iseli · ‎04-27-2005

How did it work ?

sincerely

Patrick

wanghmk1223 · ‎04-28-2005

No really. i shd allow LAN (tcp) -> proxy using port 8080 first then applied all deny to http,https,ftp. etc.

Now the problem is the window authentication (win2k3 active directory) at inside LAN whereas proxy is at DMZ.

what ports shd i allow between both to get the proxy auth. works with my win2k3 active directory?

is it only tcp 445 and 88 + udp 88 only ?

anyone can advise?