Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
0
Helpful
1
Replies

config. for access-lists and proxy server

l.prewett
Level 1
Level 1

‎01-27-2004 08:23 AM

I am setting up a proxy server to filter web traffic. I have added an access-group on the pix to control access on the inside interface.

Here is what I have added:

access-list acl_in permit tcp host MyProxyserverIPaddress any eq http

access-list acl_in permit tcp host MyProxyserverIPaddress any eq https

access-list acl_in permit icmp any any

access-list acl_in permit ip any any

access-list acl_in deny tcp any any eq http

access-list acl_in deny tcp any any eq https

access-group acl_in in interface inside

I want to allow only to the proxy server to have outbound access for http/https traffic. All client must configure their web browser with the ProxyserverIPaddress. If any client attemps outbound access to the web http/https their traffic should be blocked at the pix. Only client with the proper web browser proxy configuration will be aloud to access the we through the proxy server using the ProxyserverIPaddress.

Only the proxy server should be permitted outbound access to the web (http/https traffic).

Even though I have applied this access group. Clients can still access the web with out using a proxy server.

I have written the config to mem and reloaded the pix.

Any suggestions?

Labels:
0 Helpful
1 Reply 1

jmia
Level 7
Level 7

‎01-27-2004 09:03 AM

Hi, try the following...

access-list inside permit tcp host any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

Now bind the above ACL to the inside interface with:

access-group inside in interface inside

Remember to save with cmd: write mem and also issue cmd: clear xlate,

Bestway to write the above is on a notepad first and then paste back onto the PIX config in config mode.

Use - no access-list inside - as the first line above before you paste back to PIX in config mode, i.e.

no access-list inside

This way the pix will clear the old ACL with the new ACL.

Remember if you make any modifications to ACLs or static commands ALWAYS issue clear xlate to activate the new commands.

Hope this helps - Jay.

PS. This is the wrong area to post this question, should have posted this on the SECURITY-->Firewall section.

0 Helpful
Customers Also Viewed These Support Documents