ACL Help for deny traffic for proxy

AvidPontoon1 · ‎03-25-2018

So I am setting up a proxy, and in an attempt to combat people not using the proxy or disabling it. I need some ACL's for our 2811 router. So that www traffic is denied unless through the proxy.

So the proxy has the IP: 10.1.1.78 and my new acl's want only that host to be able to go out via http and https (port 80 and 443). All other hosts except the proxy still want access to the internet but to deny http and https traffic so things like updates and ssh work fine for example. What this means for the network is, only traffic passing through the proxy can actually get out to webpages.

My ip structure is 10.1.x.0/24

Where x is the VLAN id (1,10,20,30,100)

I have tried this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp host 10.1.1.0 any eq www
access-list 100 deny tcp host 10.1.1.0 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

But it does not work, all clients can still access webpages

Please could someone help?

Peter Paluch · ‎03-25-2018

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Can you try this out? :)

Best regards,
Peter

AvidPontoon1 · ‎03-25-2018

@Peter Paluch wrote:

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:
access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
Can you try this out? :)

Best regards,
Peter

Adding the wildcard works!

But now none of my clients can get dhcp from the router?

Thanks

Nick

Peter Paluch · ‎03-25-2018

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any

This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter

AvidPontoon1 · ‎03-25-2018

@Peter Paluch wrote:

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:
access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any
This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter

Peter! Your a hero!

My new config:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq www
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq 443
access-list 100 permit ip any any

Allows only the proxy web access and DHCP now works!

Thanks

Nick

Deepak Kumar · ‎03-25-2018

Hi,

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

AvidPontoon1 · ‎03-25-2018

@Deepak Kumar wrote:

Hi,

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Regards,

Deepak Kumar

Adding the wildcard works!

But now none of my clients can get dhcp from the router?

Thanks

Deepak Kumar · ‎03-25-2018

Hi,

We blocked only TCP port 80 & 443 and you need to allow 0.0.0.0 subnet for DHCP.

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit ip any any

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!