Access List Needed to Block Internet Traffic Except Proxy

kennyo002 · ‎12-01-2014

I need an access-list to block all internet traffic for local network but allow only proxy server.

This will force users to set proxy settings on their browser. I am using a cisco 800 series router connected to a unmanaged linksys switch and a sbs 2011 server. We have 40 users on the lan. The proxy (GFI) is running on the SBS server.

LAN netowrk - 192.168.1.0/24 - Gateway: 192.168.1.1 (cisco router internal ip) - server/proxy: 192.168.1.200

Router Interface:

Fa0 - Bridges to AdSL

Fa1 - Connects to LAN

Dialer 1 - Internet

Right now, there is a open access to the internet.

Vasilii Mikhailovskii · ‎12-08-2014

Hello.

I would say, that you may configure ACL for inbound filtering under VLAN interface:

ip access-list ext LAN_IN
 permit tcp host 192.168.1.200 any
 deny tcp 192.168.1.0 0.0.0.255 any
 permit udp 192.168.1.0 0.0.0.255 any
 permit icmp 192.168.1.0 0.0.0.255 any

interface VLAN1
 ip address 192.168.1.1 255.255.255.0
 ip access-group LAN_IN in

If you don't want to filter out all TCP traffic, you may either list all the tcp ports you want to block, or use NBAR + QoS to detect and drop http/https traffic.

Also if you are running ZBFW feature, you could use it to drop LAN-to-WAN http/https traffic.

paul driver · ‎12-08-2014

Hello

The logic for SVI acls is as follows:

Example:

access-list 100 permit ip any host 192.168.1.200
access-list 101 permit ip host 192.168.1.200 any

interface vlan 10
ip access-group 100 IN
ip access-group 101 OUT

ip access-group 100 IN (IN >OUT)
(acls applied INbound on vlan 10 = going from a host(s) in vlan 10

ip access-group 101 OUT ( IN < OUT)
(acls applied OUTbound on vlan 10 = going to a host(s) in vlan 10

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul