Solved

how do i configure ASA5505  to control certain ip addresses to go thru proxy server for http traffic?

Posted on 2009-04-13
4
855 Views
Last Modified: 2013-11-22
Hi,

How do i configure ASA5505 to control certain ip address to go thru only proxy server for http traffic.My purpose is to restricts users not go to internet with out proxy server.

Gogul
0
Comment
Question by:gogulkar
  • 2
4 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134479
by default, the user are not suppose to be able to access http traffic through modem, but if they do.

you can simply drop a denied access to the internet router.

for example if internet router is 192.168.1.1, use:
#access-list inside_access_in extended deny tcp any 192.168.1.1 eq 80
#access-group inside_access_in in interface inside
OR
#access-list outside_access_out extended deny tcp any 192.168.1.1 eq 80
#access-group outside_access_out out interface outside
0
 
LVL 5

Expert Comment

by:shirkan
ID: 24138134
simply add to the inside access-list

line 1 permit tcp host (IP of your proxy) any eq 80
line 2 deny tcp any any eq 80
....
...
...
permitting the proxy first to go to the internet via port 80 and
then blocking everyone else from doing so
keeping in mind you proxy may need more ports for e.g. https/443 or socks/1080
or any other port it needs to function correctly (updates etc)
line 2 will then become 3 or 4 depending on what ports u need in addition - e.g.

line 1 permit tcp host (IP of your proxy) any eq 80
line 2 permit tcp host (IP of your proxy) any eq 443
line 3 permit tcp host (IP of your proxy) any eq 1080
line 4 deny tcp any any eq 80
0
 

Author Comment

by:gogulkar
ID: 24149119
Hi ,

Sorry i forgat to mention my actual purpose,i configured proxy server not to download files but users can browse website,so that i want those users who are not allowed to download files need to go thru proxy server other can go directly.
0
 
LVL 5

Accepted Solution

by:
shirkan earned 500 total points
ID: 24160338
Your proxy server should be able to do that. Give some users the right to download and others not.
On the firewall you can only control that if you use static ip addresses on your client computers. Example: The users that get addresses assigned by a DHCP server, Block that range on the firewall, so they can only use the proxy. The other users that should go to the internet without restrictions, you just put their static ip address in your access-list , so they dont have to use the proxy.
The ASA is not designed for application layer control. So for things like that you have to use a proxy server with the capabilities you need.

I hope that helped
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now