How to enforce users to use Proxy server in pix515? 2

[drmohlen]

I have been trying to configure the PIX515e to enforce users to only go through the proxy server ( Windows IAS) server 2000 )using the folloiwng three commands:

access-list internet permit ip host 192.168.1.11 any
access-list internet deny ip any any
access group internet in interface inside

I have also changed the IE connection to go through my proxy server address, although it prompts me for the authentication but it fails to connect to the internet complaining about the default gateway could not find the address!!

any sugestion or advise would be appricitaed.

 

[Supergrrover]

What is the default gateway? (The IP of the proxy?)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[KiscoKid]

Also what is the default gateway of your PC attempting to connect to the proxy?

 

[drmohlen]

The default gateway for the Pc trying to connect is the ip address of the pix firewall 192.168.1.1, also the default gateway if the proxy is 192.168.1.1

 

[Supergrrover]

The pc should only be trying to connect to the proxy. That handles all the outbound connections. Have you double checked the proxy setup? You might want to use a traffic sniffer and see what is happening on the network with those requests.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[drmohlen]

so what you saying is the default gateway for all PCs and Domains must be changed from the current 192.168.1.1 to the ip address of the proxy which 192.168.1.11?? is this correct?

 

[br0ck]

what kind of proxy are you using?

some requite all traffice some only require proxy settings from IE

depends on the product

 

[drmohlen]

I am using Microsoft Internet Security Accelartion (ISA) 2000.

 

[br0ck]

yeah the ISA box needs to be the Gateway for the PC's then the Gateway for the ISA box should be the PIX

|Internet|
router
|
|
PIX
|
|
ISA
|
|
LAN
then you can make some access-lists blocking traffic from any host other thatn the ISA Box

 

[drmohlen]

Thank you for your help, I will appply the changes tonight and will let you know.

 

[horus42]

I would take a slightly different route,

First of all I would reconfigure the DCHP pool and remove the default-gateway from it , so clients only get their IP, and DNS plus whatever else that might be needed, I would then use group policy to configure everyone's browser to use the proxy server, I would also use the same policy to make sure that users couldn't make any changes to the network settings, the only thing you need to make sure now is the proxy server has the right gateway and has outgoing access, this gives you multiple layers of security which makes sure that 99.9% of your users will have no choice but to use the proxy.

Remember if your users need to do anything else outside your network this will not work or you will have to proxy everything through your server and that might break some applications.



Hope that helps

 

[drmohlen]

Thank you for your help but I have been using the DHCP in the PIX firewall to give the clients ip address, etc, etc but what I am not sure is how can I change the default gaeway form( The pix Ip address )to the Proxy IP address for all clients. If you know please let me know.

Many Thanks

 

[br0ck]

horus42,
that is a very good suggestion.

drmohlen,
be careful what pc's you set this policy on. for example laptops will need more thought. If a user leaves your network and goes home or to another network they will not be able to use the internet becuase of the proxy setting.

The pix has a limited dhcp server, because of this you are best off setting up dhcp on one of your Windows servers there you can define any gateway address.

 

[drmohlen]

I thought about it and you are absloutley right, that's what I am intending to do, disabeling the DHCP on the PIX and configuring the DHCP one on one our domain controller.

Many Thanks