Limit access to internet 1

[heminez]

My goal is to fix it so that the only way internal machines (except servers) can reach the internet is through my proxy server. I have a web and an email server behind the firewall that need direct access to the internet. I have three subnets on the inside. I have a PIX 515. We are a private school and the proxy server provides caching and most importantly, content filtering. Some students have figured out how to bypass the proxy settings in IE so I need to block them from accessing the internet except through the proxy server. Any help will be greatly appriciated. Below is current PIX config with ip's replaced.

Welcome to the PIX firewall

Type help or '?' for a list of available commands.
pixfirewall> enable
Password: *********
pixfirewall# show config
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security
nameif ethernet1 inside security
enable password
passwd
hostname pixfirewall
domain-name something.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 90 permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.248
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.240
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 10 1
0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.xxx eq

http://www any

conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any
conduit permit tcp host xxx.xxx.xxx.xxx eq

http://www any

conduit permit tcp host xxx.xxx.xxx.xxx eq ftp any
conduit permit tcp host xxx.xxx.xxx.xxx eq 8383 any
conduit permit udp host xxx.xxx.xxx.xxx eq 160 xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmp xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq 160 xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmp xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq 160 xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmp xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq 160 xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmp xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmptrap xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmptrap xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmptrap xxx.xxx.xxx.xxx 255.255.255.0
conduit permit udp host xxx.xxx.xxx.xxx eq snmptrap xxx.xxx.xxx.xxx 255.255.255.0
conduit permit tcp host xxx.xxx.xxx.xxx eq pop3 any
conduit permit tcp host xxx.xxx.xxx.xxx eq 22 any
conduit permit tcp host xxx.xxx.xxx.xxx eq 5177 any
conduit permit tcp host xxx.xxx.xxx.xxx eq 5178 any
conduit permit tcp host xxx.xxx.xxx.xxx eq

http://www any

rip inside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx1
route inside vpn pool ip 255.255.255.0 default gateway ip 1
route inside subnet 2 ip 255.255.255.0 default gateway ip 1
route inside subnet 3 ip 255.255.255.0 default gateway ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set elfbc esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set elfbc
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map client configuration address initiate
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption des
isakmp policy 7 hash md5
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpngroupname idle-time 1800
vpngroup vpngroupname ****************
vpngroup vpngroupname wins-server xxx.xxx.xxx.xxx
vpngroup vpngroupname default-domain ******
vpngroup vpngroupname idle-time 1800
vpngroup vpngroupname password ********
telnet subnet 1 ip 255.255.255.0 inside
telnet subnet 2 ip 255.255.255.0 inside
telnet subnet 3 ip 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
terminal width 90
Cryptochecksum:***********************



Thanks Guys

 

[308win]

you need to apply an access list to the inside interface


access-list acl-inside permit tcp proxy's-address 255.255.255.255 any eq 80
access-list acl-inside permit tcp proxy's-address 255.255.255.255 any eq ftp
access-list acl-inside permit 'everything else that is allowed, mail etc'
access-list acl-inside deny ip any any

access-g acl-inside in interface inside
--
If you want a quick fix without figuring out everything you want to permit do this

access-list acl-inside permit tcp proxy's-address 255.255.255.255 any eq 80
access-l acl-inside deny tcp any any eq 80
access-l acl-inside permit ip any any
access-g acl-inside in interface inside

That will give the proxy permission, deny everybody else http, then permit everything else. It will become quite useless once one of the students discovers he can use a public proxy on a different port.
--
If the student PC's are on a separate subnet from the 'trusted' people,
access-l acl-inside deny ip students-net students-mask any
access-l permit ip any any
will disallow them everything, while allowing everthing else.
Have you considered adding another interface to your PIX and put all the students behind that, with a lower priority than the servers/rest of the network. That way you can give the student machines specific access to your servers, in addition to controling their internet access.
Brian

 

[heminez]

Thanks,
You will notice I have some third party equipment on our premises that is being monitored from the outside via snmp. Is the access list going to affect that in any way?
Also, is there a way to deny or permit with a range of addresses instead of having to list all the servers and every protocol?