Prevent clients bypassing proxy

chriwall01 · ‎07-13-2010

Hi all,

I was wondering if someone could help me out with a issue I have. At present our corporation has all internet traffic routed via our HQ, through a Cisco ASA 5510 arrangement. I need to prevent client machines (subnet / range) going directly out onto the internet, I need them to go via a proxy server. My thought was to put a deny ACL on the outbound internal interface. This would be something like deny ip [ip address] [subnet] interface outside with a permit rule for the proxy address.

Does anyone have any suggestions, or ideas as to how I could do this?

Any help would be much appreciated.

Thanks in advance.

Nagaraja Thanthry · ‎07-13-2010

Hello,

Access list on the inside interface is the easiest and best way to do it. In

addition, you can also control it via NAT. Here is a sample config:

Access-list inside_access_out permit tcp host any eq 443

Access-list inside_access_out deny tcp any any eq 80

Access-list inside_access_out deny tcp any any eq 443

Access-list inside_access_out permit ip any any

Access-group inside_access_out in interface inside

Global (outside) 1 interface

Nat (inside) 1

Make sure that except for the servers that need direct internet access, no

other host has a NAT rule on the firewall. In that way, even if the hosts

try to bypass the access-list rule, they will not be able to go out without

the NAT rule.

Hope this helps.

Regards,

NT

chriwall01 · ‎07-13-2010

Hi NT,

Thanks for the quick reply. I'll give it ago and let you know.

One afterthought though, would i need to specifically need to allow the internal IP's access to the DMZ??

Once again, thanks!