Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

how do i configure ASA5505  to control certain ip addresses to go thru proxy server for http traffic?

Posted on 2009-04-13
4
Medium Priority
?
956 Views
Last Modified: 2013-11-22
Hi,

How do i configure ASA5505 to control certain ip address to go thru only proxy server for http traffic.My purpose is to restricts users not go to internet with out proxy server.

Gogul
0
Comment
Question by:gogulkar
  • 2
4 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134479
by default, the user are not suppose to be able to access http traffic through modem, but if they do.

you can simply drop a denied access to the internet router.

for example if internet router is 192.168.1.1, use:
#access-list inside_access_in extended deny tcp any 192.168.1.1 eq 80
#access-group inside_access_in in interface inside
OR
#access-list outside_access_out extended deny tcp any 192.168.1.1 eq 80
#access-group outside_access_out out interface outside
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 24138134
simply add to the inside access-list

line 1 permit tcp host (IP of your proxy) any eq 80
line 2 deny tcp any any eq 80
....
...
...
permitting the proxy first to go to the internet via port 80 and
then blocking everyone else from doing so
keeping in mind you proxy may need more ports for e.g. https/443 or socks/1080
or any other port it needs to function correctly (updates etc)
line 2 will then become 3 or 4 depending on what ports u need in addition - e.g.

line 1 permit tcp host (IP of your proxy) any eq 80
line 2 permit tcp host (IP of your proxy) any eq 443
line 3 permit tcp host (IP of your proxy) any eq 1080
line 4 deny tcp any any eq 80
0
 

Author Comment

by:gogulkar
ID: 24149119
Hi ,

Sorry i forgat to mention my actual purpose,i configured proxy server not to download files but users can browse website,so that i want those users who are not allowed to download files need to go thru proxy server other can go directly.
0
 
LVL 5

Accepted Solution

by:
Markus Braun earned 1500 total points
ID: 24160338
Your proxy server should be able to do that. Give some users the right to download and others not.
On the firewall you can only control that if you use static ip addresses on your client computers. Example: The users that get addresses assigned by a DHCP server, Block that range on the firewall, so they can only use the proxy. The other users that should go to the internet without restrictions, you just put their static ip address in your access-list , so they dont have to use the proxy.
The ASA is not designed for application layer control. So for things like that you have to use a proxy server with the capabilities you need.

I hope that helped
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question