proxy

I had the following: Clients--Pix--Router--Internet my clients 10.6.x.x surff the internet through the pix, requesting the traffic http/smtp/pop3/ftp...etc. _Now_ I have implemented a proxy server (squid) on FreeBSD, it works as cache / web filtering, my design Clients--Proxy--Pix--Router--Internet I want to avoid the http/www request to go through pix directly. I want only Proxy to handle the http/www request, and if any http/www request went to pix from 10.6.x.x should be droped. I want only some Ip 10.6.x.x (3 or 4 clients from the managment) to let them surff the net through pix

Pix configuration name 10.5.1.111 PROXY access-list outside_access_in permit tcp any host X.X.X.X eq www access-list outside_access_in permit tcp any host X.X.X.X eq domain static (inside,outside) X.X.X.X PROXY netmask 255.255.255.255 0 0

any help

Reply to
madunix
Loading thread data ...

In article , madunix wrote: :I had the following: :Clients--Pix--Router--Internet :my clients 10.6.x.x surff the internet through the pix, requesting the :traffic http/smtp/pop3/ftp...etc. :_Now_ I have implemented a proxy server (squid) on FreeBSD, it works :as cache / web filtering, my design :Clients--Proxy--Pix--Router--Internet :I want to avoid the http/www request to go through pix directly. :I want only Proxy to handle the http/www request, and if any http/www :request :went to pix from 10.6.x.x should be droped. :I want only some Ip 10.6.x.x (3 or 4 clients from the managment) :to let them surff the net through pix

Okay, do-able.

:Pix configuration :name 10.5.1.111 PROXY :access-list outside_access_in permit tcp any host X.X.X.X eq www :access-list outside_access_in permit tcp any host X.X.X.X eq domain :static (inside,outside) X.X.X.X PROXY netmask 255.255.255.255 0 0

'outside_access_in' would -usually- imply inbound traffic (from the Internet) towards the LAN, and that's not what you want to filter.

name 10.6.x.y1 Manager1 name 10.6.x.y2 Manager2

: below, 3128 is squid -- I'm assuming you don't want your users : to be able to use external squid proxies

access-list inside_access_out permit udp any any eq domain access-list inside_access_out permit tcp host PROXY any eq www access-list inside_access_out permit tcp host Manager1 any eq www access-list inside_access_out permit tcp host Manager2 any eq www access-list inside_access_out deny tcp any any eq www access-list inside_access_out deny tcp any any eq 3128 : continue on with whatever else you want filtered access-list inside_access_out deny .... whatever : if the default is to allow everything else, then include the below access-list inside_access_out permit ip any any

: if your proxy server is acting as a DNS server to outside hosts then access-list outside_access_in permit udp any host X.X.X.X eq domain : if there are sites that are allowed to do DNS Zone transfers from : your hypothetical DNS server on your proxy machine... access-list outside_access_in permit tcp any host X.X.X.X eq domain : you probably want icmp echo replies allowed in, and TTL exceeded access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit icmp any any unreachable : everything else is denied by default

access-group inside_access_out in interface inside access-group outside_access_in in interface outside

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.