Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internet Security with the PIX 2

Status
Not open for further replies.
robrichardson

robrichardson

Programmer
Mar 14, 2001
86
GB
We have a proxy server (symantec web security 2.5) in a 192.168.1.0 network all clients are forced to use this with a group policy amending their internet settings (win 2k) to use a proxy server.

We have problems when the user logs in locally onto the computer (which doesnt apply the GP) they can access the internet without the login for Web security appearing.

Is there anyway with the PIX and access-lists that only clients on the 192.168.1.0 network using the proxy server can access the internet. For example deny all then allow the proxy server
Is this possible?
 
Sort by date Sort by votes
I hope I have got your question right. If the scenario you want is:
user -> proxy -> pix -> internet

All you have to do is apply the following access-list to the inside interface of the PIX:

access-list inside-acl permit tcp host proxy-addr any eq www


ensure that there is no other access-list that allow the inside hosts to access the internet directly

I JUST HOPE IT WORKS
 
Upvote 0 Downvote
I agree i have the same setup and works like a champ!
 
Upvote 0 Downvote
Another way to do it without the use of access-lists is to modify your NAT statement to only use the proxy server IP. Example:

nat (inside) 1 [proxy IP] 255.255.255.255
global (outside) 1 interface

Any other IP would not be allowed to NAT outbound, which disables their Internet access.
 
Upvote 0 Downvote
I've tried your suggestions and still having no luck, if I put an access-list on to allow only the proxy server it knowcks out the VPN tunnels, I've posted the config (with the obvious alterations) hoping somebody can help:

Here it is:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security25
nameif ethernet3 NCC security50
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
hostname PIX515
domain-name company.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.0.1.0 255.255.255.224
access-list luton permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list luton permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list luton permit ip 192.168.60.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list kingston permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list kingston permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list kingston permit ip 192.168.60.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list lewes permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list lewes permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list lewes permit ip 192.168.60.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list NCCin permit ip 192.168.60.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list NCCnat permit ip host NPS-FIN host 10.0.1.12
access-list Essex permit ip 192.168.8.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Essex permit ip 192.168.3.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outin permit tcp any host 81.86.4.205 eq smtp
access-list outin permit tcp any host 81.86.4.203 eq www
access-list outin permit tcp any host 81.86.4.204 eq 3389
access-list outin deny ip any any
access-list DMZout permit ip host 10.0.1.12 host NPS-FIN
access-list insideout permit tcp host 192.168.3.40 any eq www
access-list insideout permit tcp host 192.168.3.41 any eq www
pager lines 24
ip address outside 81.x.x.1 255.255.255.248
ip address inside 192.168.3.254 255.255.255.0
ip address DMZ 10.0.1.1 255.255.255.224
ip address NCC 192.168.1.4 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 81.x.x.2
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (NCC) 0 access-list NCCnat
nat (NCC) 1 192.168.8.0 255.255.255.0 0 0
access-group outin in interface outside
access-group insideout in interface inside
access-group DMZout in interface DMZ
access-group NCCin in interface NCC
route outside 0.0.0.0 0.0.0.0 81.x.x.6 1
route NCC 192.168.8.0 255.255.255.0 192.168.1.2 1
route NCC 192.168.60.0 255.255.255.0 192.168.1.2 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 8002 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 8002 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set 3DES-Secure esp-3des esp-md5-hmac
crypto map VPNtunnel 10 ipsec-isakmp
crypto map VPNtunnel 10 match address lewes
crypto map VPNtunnel 10 set peer 82.x.x.1
crypto map VPNtunnel 10 set transform-set 3DES-Secure
crypto map VPNtunnel 20 ipsec-isakmp
crypto map VPNtunnel 20 match address kingston
crypto map VPNtunnel 20 set peer 83.x.x.1
crypto map VPNtunnel 20 set transform-set 3DES-Secure
crypto map VPNtunnel 30 ipsec-isakmp
crypto map VPNtunnel 30 match address luton
crypto map VPNtunnel 30 set peer 84.x.x.1
crypto map VPNtunnel 30 set transform-set 3DES-Secure
crypto map VPNtunnel 40 ipsec-isakmp
crypto map VPNtunnel 40 match address Essex
crypto map VPNtunnel 40 set peer 85.x.x.1
crypto map VPNtunnel 40 set transform-set 3DES-Secure
crypto map VPNtunnel interface outside
isakmp enable outside
isakmp key ******** address 82.x.x.1 netmask 255.255.255.255
isakmp key ******** address 83.x.x.1 netmask 255.255.255.255
isakmp key ******** address 84.x.x.1 netmask 255.255.255.255
isakmp key ******** address 85.x.x.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
 
Upvote 0 Downvote
The VPN's are not going down, you were just inadvertently blocking traffic to them. A couple more statements are necessary on the inside list:
access-list insideout permit tcp host 192.168.3.40 any eq www
access-list insideout permit tcp host 192.168.3.41 any eq www
access-l insideout deny tcp any any eq 80
access-l insideout permit ip any any

This denys everybody web access and then let the rest on through.

If desired it might be a little more secure to permit traffic to your VPN sites explicitly, instead of the blanket permit any any. Doing that will also eliminate people surfing on ports other than 80.

my guess is that you are using proxy servers for FTP also so you might want to restrict that the same way as web traffic
 
Upvote 0 Downvote
Thats worked perfectly 308win, thanks very much for all your help.

Rob

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
233
nnaarrnn
nnaarrnn
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
71
abhi21
abhi21
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
79
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top