In article , madunix wrote: :I had the following: :Clients--Pix--Router--Internet :my clients 10.6.x.x surff the internet through the pix, requesting the :traffic http/smtp/pop3/ftp...etc. :_Now_ I have implemented a proxy server (squid) on FreeBSD, it works :as cache / web filtering, my design :Clients--Proxy--Pix--Router--Internet :I want to avoid the http/www request to go through pix directly. :I want only Proxy to handle the http/www request, and if any http/www :request :went to pix from 10.6.x.x should be droped. :I want only some Ip 10.6.x.x (3 or 4 clients from the managment) :to let them surff the net through pix
Okay, do-able.
:Pix configuration :name 10.5.1.111 PROXY :access-list outside_access_in permit tcp any host X.X.X.X eq www :access-list outside_access_in permit tcp any host X.X.X.X eq domain :static (inside,outside) X.X.X.X PROXY netmask 255.255.255.255 0 0
'outside_access_in' would -usually- imply inbound traffic (from the Internet) towards the LAN, and that's not what you want to filter.
name 10.6.x.y1 Manager1 name 10.6.x.y2 Manager2
: below, 3128 is squid -- I'm assuming you don't want your users : to be able to use external squid proxies
access-list inside_access_out permit udp any any eq domain access-list inside_access_out permit tcp host PROXY any eq www access-list inside_access_out permit tcp host Manager1 any eq www access-list inside_access_out permit tcp host Manager2 any eq www access-list inside_access_out deny tcp any any eq www access-list inside_access_out deny tcp any any eq 3128 : continue on with whatever else you want filtered access-list inside_access_out deny .... whatever : if the default is to allow everything else, then include the below access-list inside_access_out permit ip any any
: if your proxy server is acting as a DNS server to outside hosts then access-list outside_access_in permit udp any host X.X.X.X eq domain : if there are sites that are allowed to do DNS Zone transfers from : your hypothetical DNS server on your proxy machine... access-list outside_access_in permit tcp any host X.X.X.X eq domain : you probably want icmp echo replies allowed in, and TTL exceeded access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit icmp any any unreachable : everything else is denied by default
access-group inside_access_out in interface inside access-group outside_access_in in interface outside