Link to home
Create AccountLog in
Avatar of ejaramillo
ejaramillo

asked on

Pix 515 ACL Question

Experts,

I'm installing a content filter that will sit behing a Pix firewall in proxy mode. What I plan on doing on the pix is only allow port 80 and 443 traffic from the content filter outbound and deny all other port 80 and 443 traffic. This way if they remove the proxy setting in their browser they will not be able to bypass the filter.

I need help with the ACL. Would something like this work:

access-list inside_out extended permit tcp host 192.168.1.1 any eq 80
access-list inside_out extended permit tcp host 192.168.1.1 any eq 443
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0  any eq 80
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0  any eq 443
access-list inside_out extended permit ip any any

access-group inside_out in interface inside

Would this work???


Thank you in advance for your help!
ASKER CERTIFIED SOLUTION
Avatar of RustyZ32
RustyZ32
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of ejaramillo
ejaramillo

ASKER

Still add:

 access-list extended permit ip any any at the end of the ACL, right?
yes, definetly.

you may also want to allow 80 and 443 form your machine as well, or another server. not sure if denying it will also kill ADSM access from the inside.

Got it. I want to make sure all other ports going outbound are not affected by the ACL. I just want to make sure they can't bypass the filter if they uncheck the proxy settings. So I think this should work just perfect. :)

I can't try it out until I configure the content filter but I am pretty sure the ACL will work like a champ.

Thanks for the help!