Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
5
Helpful
7
Replies

How to deny user use the ip address of PIX

Go to solution
winanjaya
Level 1
Level 1

‎01-11-2007 08:50 PM - edited ‎03-11-2019 02:18 AM

Dear All,

I am very new with this, all of my users's PC gateway is assigned to IP 172.16.1.5 (Proxy server).. and the gateway of The Proxy Server is assigned to PIX 172.16.1.1.

If the users knew the IP address of PIX then they will set their gateway to PIX's IP Address then they able to go to the internet without proxy server, this is the part that I want to deny

could any body please help how to deal with this?

Many thanks in advance

Regards

Winanjaya

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎01-11-2007 11:50 PM

Hi

Apply the following ACL on the inside interface of your PIX in configuration mode:

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

access-group inside in interface inside

Save with: write mem and also issue: clear xlate

The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST

point their browser to the proxy server!!

Hope this helps and please rate posts!!

Jay

View solution in original post

7 Replies 7

Go to solution
vijayasankar
Level 4
Level 4

‎01-11-2007 11:34 PM

Hi,

You can handle this by, including an ACL in the firewall which allows outbound HTTP access only for the proxy server IP.

Then the users wouldn't be able to browse through the firewall, they have point to the proxy server to get internet access.

-VJ

0 Helpful

Go to solution
winanjaya
Level 1
Level 1
In response to vijayasankar

‎01-11-2007 11:48 PM

Hi,

I am very new with this, could you pls give me an example?

TIA

Regards

Winanjaya

0 Helpful

Go to solution
jmia
Level 7
Level 7

‎01-11-2007 11:50 PM

Hi

Apply the following ACL on the inside interface of your PIX in configuration mode:

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

access-group inside in interface inside

Save with: write mem and also issue: clear xlate

The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST

point their browser to the proxy server!!

Hope this helps and please rate posts!!

Jay

Go to solution
winanjaya
Level 1
Level 1
In response to jmia

‎01-12-2007 12:12 AM

how about for ftp, https and any other internet services.. pls advise

Thanks & Regards

Winanjaya

0 Helpful

Go to solution
m.sir
Level 7
Level 7
In response to winanjaya

‎01-12-2007 01:24 AM

If you are using proxy also for FTP and HTTPS add those services to access-list

access-list inside permit tcp host 172.16.1.5 any eq www

access-list inside permit tcp host 172.16.1.5 any eq ftp

access-list inside permit tcp host 172.16.1.5 any eq 443

access-list inside deny tcp any any eq www

access-list inside deny tcp any any eq ftp

access-list inside deny tcp any any eq 443

access-list inside permit ip any any

access-group inside in interface inside

M.

0 Helpful

Go to solution
winanjaya
Level 1
Level 1
In response to m.sir

‎01-12-2007 01:35 AM

Thanks a lot

Regards

Winanjaya

0 Helpful

Go to solution
sarkarpritam
Level 1
Level 1

‎01-12-2007 02:18 AM

Hi,

I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.

C if this suggestion helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card