Solved

Internet Access Restriction on the network

Posted on 2011-03-03
14
599 Views
Last Modified: 2012-05-11
We have cisco pix-525 running with IOS 7.2(3), also we are using ISA 2004 as proxy server. We want everyone to go to the internet only using proxy server. Presently if anyone happens to bypass proxy he can still go to internet.

I need to know what kind of firewall or ISA changes require to accomplish this. The reason i want this implemented becasue currently any visitor can just walk in and connect his laptop to the network and can go to the internet without specifying proxy server address in IE.

please advice. thanks
0
Comment
Question by:tech2010
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 3

Expert Comment

by:IamTheMorsa
Comment Utility
If you have your users on a different network / vlan from your servers, then you could just put a rule on the ISA server that denies all traffic from the user network to access port 80, 443, etc.  If you have everything on the same network, then it gets a little harder, but its still do-able, just need to get a little crafty with the access rules.
0
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
If you have domain controllers,  push the rule to go via the DC  to your users. In the ASA allow only traffic sourced from ISA server IP to go outside and the rest is dropped.

Remember, that you will need a domain controller who is controlling your lan, only then it's possible. Else, put the ACL in the ASA and drop a company wide message/email  to make the user browser pointed to ISA server IP.  Anyone who doesn't do that will not be able to go out.

Best,


0
 

Author Comment

by:tech2010
Comment Utility
users are on the same network as ISA so need to know what are the access rules need to be in place?
0
 
LVL 3

Expert Comment

by:IamTheMorsa
Comment Utility
Are you using DHCP to assign IP's for the users?  IF so, then add that range to be blocked at the firewall.  This will stop rouge users from trying to get on the Internet directly.
0
 
LVL 1

Expert Comment

by:rwellender
Comment Utility
A simple access list and access group should block all but the proxy server:

access-list outbound permit ip host (ip address of the proxy server) any

access-group outbound in interface (name of inside interface)

Of course, you may want to add any other servers/IPs or protocols that need access out.  The implied "deny all" will block everything else out bound, so you may need to review whatever else is on the network besides users.

In adidtion, do your users have an internal DNS server?  If not, add the following:

access-list outbound permit ip any any eq dns

That would allows DNS queries outbound.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
I assume you have a single nic ISA Server acting JUST as a proxy rather than a two-nic ISA Server acting as a firewall/proxy?
This being the case you cannot simply drop an ACL onto the PIX as some of the traffic will not necessarily use the ISA's NAT address.

I am already struggling with the concept that you would allow ANYONE to simply plug their computer into your internal network in the first place but hey it's your network, your responsibility.
0
 

Author Comment

by:tech2010
Comment Utility
Thanks rwellender, our proxy server is not on the DMZ but on the same LAN subnet where other users are on the same network. so should this access-list rule still apply? so basically you are saying to block the whole LAN IPs or DHCP pool IPs using this access list and just allow proxy server and other servers who needs access to the internet directly?

Also I did not understand about what you saying about DNS. You have internal DNS server like any other companies which resolves netbios names and any internet addresses.  so i guess i will need to allow DNS servers so that DNS servers can go the internet to resolve names outbound?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:tech2010
Comment Utility
yes i have single NIC on the proxy server as any other computer on the network.
0
 
LVL 1

Expert Comment

by:rwellender
Comment Utility
Simple answers, yes, yes and yes.  

The access list would apply on the inside interface. (Same LAN subnet).  The approach is to block everything and then allow only what needs outbound access.  

Another approach would be to block just the DHCP range and allow everything else, but the drawback would be the users that are technical enough to assign static IP's on their PCs outside of the DHCP range.  

On the DNS question, you are correct, the DNS servers would need access outbound.  You can either provide access for any IP protocol or restrict to just the tcp and udp ports they need.  I would recommend giving the servers full IP access outbound.
0
 

Author Comment

by:tech2010
Comment Utility
so are the lines below enough or please add or correct any missing bits

access-list outbound permit ip host (ip address of the proxy server) any
access-list outbound permit ip host (ip address of the web server) any
access-list outbound permit ip host (ip address of the DNS server) any
access-group outbound in interface (name of inside interface)

where did we specify to block everything else? do i need this line "access-list outbound permit ip any any eq dns" ?
0
 
LVL 1

Expert Comment

by:rwellender
Comment Utility
The 'access-list outbound deny ip any any' is implied at the end of the access-list.  You don't have to add it, it is a logical part of any access list.

The entry for permit any any eq DNS would be needed only if you had all PC's pulling DNS information from an oiutside surce, since you use internal DNS, you don't need it.
0
 

Author Comment

by:tech2010
Comment Utility
Ah. ic intresting. So presently i dont have any access-list for outbound and as soon as i will add these outbound permit statement it will assume to block everything else by itself?

i would like to create object-group and specify all IP address in their and then just use 1 line for access-list outbound permit ip object-group and then access-group outbound to apply on inside interface
0
 
LVL 1

Accepted Solution

by:
rwellender earned 500 total points
Comment Utility
Yes, on Cisco access lists, the deny all is implied at the end.

An example for using the object group would be:
(Servers can be changed to any name you want)

object-group network Servers
 description allowed IPs
 network-object 10.x.x.x 255.255.255.255 (to permit 1 host)
 network-object 10.x.x.x 255.255.255.0 (to permit a range)

access-list outbound extended permit IP object-group Servers any

access-group outbound in interface inside
0
 

Author Comment

by:tech2010
Comment Utility
Great Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now