07-13-2010 07:24 AM - edited 03-11-2019 11:10 AM
Hi all,
I was wondering if someone could help me out with a issue I have. At present our corporation has all internet traffic routed via our HQ, through a Cisco ASA 5510 arrangement. I need to prevent client machines (subnet / range) going directly out onto the internet, I need them to go via a proxy server. My thought was to put a deny ACL on the outbound internal interface. This would be something like deny ip [ip address] [subnet] interface outside with a permit rule for the proxy address.
Does anyone have any suggestions, or ideas as to how I could do this?
Any help would be much appreciated.
Thanks in advance.
07-13-2010 07:35 AM
Hello,
Access list on the inside interface is the easiest and best way to do it. In
addition, you can also control it via NAT. Here is a sample config:
Access-list inside_access_out permit tcp host any eq 443
Access-list inside_access_out deny tcp any any eq 80
Access-list inside_access_out deny tcp any any eq 443
Access-list inside_access_out permit ip any any
Access-group inside_access_out in interface inside
Global (outside) 1 interface
Nat (inside) 1
Make sure that except for the servers that need direct internet access, no
other host has a NAT rule on the firewall. In that way, even if the hosts
try to bypass the access-list rule, they will not be able to go out without
the NAT rule.
Hope this helps.
Regards,
NT
07-13-2010 07:45 AM
Hi NT,
Thanks for the quick reply. I'll give it ago and let you know.
One afterthought though, would i need to specifically need to allow the internal IP's access to the DMZ??
Once again, thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide