cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1352
Views
0
Helpful
7
Replies
AvidPontoon
Beginner

ACL Help for deny traffic for proxy

So I am setting up a proxy, and in an attempt to combat people not using the proxy or disabling it. I need some ACL's for our 2811 router. So that www traffic is denied unless through the proxy.

 

So the proxy has the IP: 10.1.1.78 and my new acl's want only that host to be able to go out via http and https (port 80 and 443). All other hosts except the proxy still want access to the internet but to deny http and https traffic so things like updates and ssh work fine for example. What this means for the network is, only traffic passing through the proxy can actually get out to webpages.

 

My ip structure is 10.1.x.0/24

Where x is the VLAN id (1,10,20,30,100)

 

I have tried this:


access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp host 10.1.1.0 any eq www
access-list 100 deny tcp host 10.1.1.0 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

But it does not work, all clients can still access webpages

 

Please could someone help?

 

 

7 REPLIES 7
Peter Paluch
Hall of Fame Cisco Employee

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Can you try this out? :)

Best regards,
Peter




@Peter Paluch wrote:

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Can you try this out? :)

Best regards,
Peter


Adding the wildcard works!

But now none of my clients can get dhcp from the router?

 

Thanks

Nick

Peter Paluch
Hall of Fame Cisco Employee

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any

This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter


@Peter Paluch wrote:

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any

This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter


Peter! Your a hero!

 

My new config:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq www
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq 443
access-list 100 permit ip any any

Allows only the proxy web access and DHCP now works!

 

Thanks

Nick

Deepak Kumar
VIP Advocate

Hi, 

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

 

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!


@Deepak Kumar wrote:

Hi, 

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

 

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

Regards,

Deepak Kumar


Adding the wildcard works!

But now none of my clients can get dhcp from the router?

 

Thanks

Hi,

We blocked only TCP port 80 & 443 and you need to allow 0.0.0.0 subnet for DHCP.

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit ip any any

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!