• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 607
  • Last Modified:

Internet Access Restriction on the network

We have cisco pix-525 running with IOS 7.2(3), also we are using ISA 2004 as proxy server. We want everyone to go to the internet only using proxy server. Presently if anyone happens to bypass proxy he can still go to internet.

I need to know what kind of firewall or ISA changes require to accomplish this. The reason i want this implemented becasue currently any visitor can just walk in and connect his laptop to the network and can go to the internet without specifying proxy server address in IE.

please advice. thanks
0
tech2010
Asked:
tech2010
  • 6
  • 4
  • 2
  • +2
1 Solution
 
IamTheMorsaCommented:
If you have your users on a different network / vlan from your servers, then you could just put a rule on the ISA server that denies all traffic from the user network to access port 80, 443, etc.  If you have everything on the same network, then it gets a little harder, but its still do-able, just need to get a little crafty with the access rules.
0
 
surbabu140977Commented:
If you have domain controllers,  push the rule to go via the DC  to your users. In the ASA allow only traffic sourced from ISA server IP to go outside and the rest is dropped.

Remember, that you will need a domain controller who is controlling your lan, only then it's possible. Else, put the ACL in the ASA and drop a company wide message/email  to make the user browser pointed to ISA server IP.  Anyone who doesn't do that will not be able to go out.

Best,


0
 
tech2010Author Commented:
users are on the same network as ISA so need to know what are the access rules need to be in place?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
IamTheMorsaCommented:
Are you using DHCP to assign IP's for the users?  IF so, then add that range to be blocked at the firewall.  This will stop rouge users from trying to get on the Internet directly.
0
 
rwellenderCommented:
A simple access list and access group should block all but the proxy server:

access-list outbound permit ip host (ip address of the proxy server) any

access-group outbound in interface (name of inside interface)

Of course, you may want to add any other servers/IPs or protocols that need access out.  The implied "deny all" will block everything else out bound, so you may need to review whatever else is on the network besides users.

In adidtion, do your users have an internal DNS server?  If not, add the following:

access-list outbound permit ip any any eq dns

That would allows DNS queries outbound.
0
 
Keith AlabasterEnterprise ArchitectCommented:
I assume you have a single nic ISA Server acting JUST as a proxy rather than a two-nic ISA Server acting as a firewall/proxy?
This being the case you cannot simply drop an ACL onto the PIX as some of the traffic will not necessarily use the ISA's NAT address.

I am already struggling with the concept that you would allow ANYONE to simply plug their computer into your internal network in the first place but hey it's your network, your responsibility.
0
 
tech2010Author Commented:
Thanks rwellender, our proxy server is not on the DMZ but on the same LAN subnet where other users are on the same network. so should this access-list rule still apply? so basically you are saying to block the whole LAN IPs or DHCP pool IPs using this access list and just allow proxy server and other servers who needs access to the internet directly?

Also I did not understand about what you saying about DNS. You have internal DNS server like any other companies which resolves netbios names and any internet addresses.  so i guess i will need to allow DNS servers so that DNS servers can go the internet to resolve names outbound?
0
 
tech2010Author Commented:
yes i have single NIC on the proxy server as any other computer on the network.
0
 
rwellenderCommented:
Simple answers, yes, yes and yes.  

The access list would apply on the inside interface. (Same LAN subnet).  The approach is to block everything and then allow only what needs outbound access.  

Another approach would be to block just the DHCP range and allow everything else, but the drawback would be the users that are technical enough to assign static IP's on their PCs outside of the DHCP range.  

On the DNS question, you are correct, the DNS servers would need access outbound.  You can either provide access for any IP protocol or restrict to just the tcp and udp ports they need.  I would recommend giving the servers full IP access outbound.
0
 
tech2010Author Commented:
so are the lines below enough or please add or correct any missing bits

access-list outbound permit ip host (ip address of the proxy server) any
access-list outbound permit ip host (ip address of the web server) any
access-list outbound permit ip host (ip address of the DNS server) any
access-group outbound in interface (name of inside interface)

where did we specify to block everything else? do i need this line "access-list outbound permit ip any any eq dns" ?
0
 
rwellenderCommented:
The 'access-list outbound deny ip any any' is implied at the end of the access-list.  You don't have to add it, it is a logical part of any access list.

The entry for permit any any eq DNS would be needed only if you had all PC's pulling DNS information from an oiutside surce, since you use internal DNS, you don't need it.
0
 
tech2010Author Commented:
Ah. ic intresting. So presently i dont have any access-list for outbound and as soon as i will add these outbound permit statement it will assume to block everything else by itself?

i would like to create object-group and specify all IP address in their and then just use 1 line for access-list outbound permit ip object-group and then access-group outbound to apply on inside interface
0
 
rwellenderCommented:
Yes, on Cisco access lists, the deny all is implied at the end.

An example for using the object group would be:
(Servers can be changed to any name you want)

object-group network Servers
 description allowed IPs
 network-object 10.x.x.x 255.255.255.255 (to permit 1 host)
 network-object 10.x.x.x 255.255.255.0 (to permit a range)

access-list outbound extended permit IP object-group Servers any

access-group outbound in interface inside
0
 
tech2010Author Commented:
Great Thanks
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

  • 6
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now