ejaramillo
asked on
Pix 515 ACL Question
Experts,
I'm installing a content filter that will sit behing a Pix firewall in proxy mode. What I plan on doing on the pix is only allow port 80 and 443 traffic from the content filter outbound and deny all other port 80 and 443 traffic. This way if they remove the proxy setting in their browser they will not be able to bypass the filter.
I need help with the ACL. Would something like this work:
access-list inside_out extended permit tcp host 192.168.1.1 any eq 80
access-list inside_out extended permit tcp host 192.168.1.1 any eq 443
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 80
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 443
access-list inside_out extended permit ip any any
access-group inside_out in interface inside
Would this work???
Thank you in advance for your help!
I'm installing a content filter that will sit behing a Pix firewall in proxy mode. What I plan on doing on the pix is only allow port 80 and 443 traffic from the content filter outbound and deny all other port 80 and 443 traffic. This way if they remove the proxy setting in their browser they will not be able to bypass the filter.
I need help with the ACL. Would something like this work:
access-list inside_out extended permit tcp host 192.168.1.1 any eq 80
access-list inside_out extended permit tcp host 192.168.1.1 any eq 443
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 80
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 443
access-list inside_out extended permit ip any any
access-group inside_out in interface inside
Would this work???
Thank you in advance for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes, definetly.
you may also want to allow 80 and 443 form your machine as well, or another server. not sure if denying it will also kill ADSM access from the inside.
you may also want to allow 80 and 443 form your machine as well, or another server. not sure if denying it will also kill ADSM access from the inside.
ASKER
Got it. I want to make sure all other ports going outbound are not affected by the ACL. I just want to make sure they can't bypass the filter if they uncheck the proxy settings. So I think this should work just perfect. :)
I can't try it out until I configure the content filter but I am pretty sure the ACL will work like a champ.
Thanks for the help!
I can't try it out until I configure the content filter but I am pretty sure the ACL will work like a champ.
Thanks for the help!
ASKER
access-list extended permit ip any any at the end of the ACL, right?