- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 08:50 PM - edited 03-11-2019 02:18 AM
Dear All,
I am very new with this, all of my users's PC gateway is assigned to IP 172.16.1.5 (Proxy server).. and the gateway of The Proxy Server is assigned to PIX 172.16.1.1.
If the users knew the IP address of PIX then they will set their gateway to PIX's IP Address then they able to go to the internet without proxy server, this is the part that I want to deny
could any body please help how to deal with this?
Many thanks in advance
Regards
Winanjaya
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 11:50 PM
Hi
Apply the following ACL on the inside interface of your PIX in configuration mode:
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-group inside in interface inside
Save with: write mem and also issue: clear xlate
The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST
point their browser to the proxy server!!
Hope this helps and please rate posts!!
Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 11:34 PM
Hi,
You can handle this by, including an ACL in the firewall which allows outbound HTTP access only for the proxy server IP.
Then the users wouldn't be able to browse through the firewall, they have point to the proxy server to get internet access.
-VJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 11:48 PM
Hi,
I am very new with this, could you pls give me an example?
TIA
Regards
Winanjaya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 11:50 PM
Hi
Apply the following ACL on the inside interface of your PIX in configuration mode:
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-group inside in interface inside
Save with: write mem and also issue: clear xlate
The above ACL will only allow your proxy server to browse the internet and deny anything else. Now your users MUST
point their browser to the proxy server!!
Hope this helps and please rate posts!!
Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 12:12 AM
how about for ftp, https and any other internet services.. pls advise
Thanks & Regards
Winanjaya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 01:24 AM
If you are using proxy also for FTP and HTTPS add those services to access-list
access-list inside permit tcp host 172.16.1.5 any eq www
access-list inside permit tcp host 172.16.1.5 any eq ftp
access-list inside permit tcp host 172.16.1.5 any eq 443
access-list inside deny tcp any any eq www
access-list inside deny tcp any any eq ftp
access-list inside deny tcp any any eq 443
access-list inside permit ip any any
access-group inside in interface inside
M.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 01:35 AM
Thanks a lot
Regards
Winanjaya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 02:18 AM
Hi,
I feel the best practice for this case is to put the PIX in a separate VLAN. The Proxy can be in the user VLAN. This will solve all the issues, as user cannot configure the PIX IP on their PCs and get access to network. PCs will have the def-gateway to Proxy, the proxy will have def-gw at VLAN IP, and a def route will be there on the switch to the PIX. Thats it.
C if this suggestion helps.
