Avatar of ejaramillo
ejaramillo
 asked on

Pix 515 ACL Question

Experts,

I'm installing a content filter that will sit behing a Pix firewall in proxy mode. What I plan on doing on the pix is only allow port 80 and 443 traffic from the content filter outbound and deny all other port 80 and 443 traffic. This way if they remove the proxy setting in their browser they will not be able to bypass the filter.

I need help with the ACL. Would something like this work:

access-list inside_out extended permit tcp host 192.168.1.1 any eq 80
access-list inside_out extended permit tcp host 192.168.1.1 any eq 443
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0  any eq 80
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0  any eq 443
access-list inside_out extended permit ip any any

access-group inside_out in interface inside

Would this work???


Thank you in advance for your help!
Anti-Virus AppsCisco

Avatar of undefined
Last Comment
ejaramillo

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
RustyZ32

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ejaramillo

ASKER
Still add:

 access-list extended permit ip any any at the end of the ACL, right?
RustyZ32

yes, definetly.

you may also want to allow 80 and 443 form your machine as well, or another server. not sure if denying it will also kill ADSM access from the inside.

ejaramillo

ASKER
Got it. I want to make sure all other ports going outbound are not affected by the ACL. I just want to make sure they can't bypass the filter if they uncheck the proxy settings. So I think this should work just perfect. :)

I can't try it out until I configure the content filter but I am pretty sure the ACL will work like a champ.

Thanks for the help!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck