Port Block access-list

i have asa firewall...please see attached doc about  my asa configuration...i allow http for isa server ....then the users internet browsing through isa server proxy..but some users installing 3rd part proxy and accessing blocked sites..like ultrasurf,hotshield, etc....so how to block this proxys and how to block this proxys ports?? how to create acccess list for clock this proxys...ultrasurf using port like 9996 and etc....i dont know other proxys using port address....please help me...

asa.TXT
nisartlaaAsked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:
Your ACL applied to the inside interfaces seem to block what you need them to block.    

For the whole subnet, I see only,
tcp 2000
udp 2000
udp 2001
udp 56543
udp 62296
tcp smtp
tcp pop3
tcp imap4
icmp

You also have the AllowAll group with full access:
access-list AclIn extended permit ip object-group AllowAll any


So 1st question, is this user in the AllowAll group?  

Next, you have to be aware that you can create tunnel outbound to another proxy on any port .    If you allow pop3 outbound, an expert user can create a tunnel to an outside host and proxy http requests across it.    The only way to keep this from happening is to block all outbound traffic unless it goes through your in house proxy.  

If you know the IP's of the offending proxy sites, you can create an object-group called 'blacklist' and add a "deny ip object-group blacklist any" to block traffic to hosts in that list....  




0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.