Solved

Internet Access Restriction on the network

Posted on 2011-03-03
14
602 Views
Last Modified: 2012-05-11
We have cisco pix-525 running with IOS 7.2(3), also we are using ISA 2004 as proxy server. We want everyone to go to the internet only using proxy server. Presently if anyone happens to bypass proxy he can still go to internet.

I need to know what kind of firewall or ISA changes require to accomplish this. The reason i want this implemented becasue currently any visitor can just walk in and connect his laptop to the network and can go to the internet without specifying proxy server address in IE.

please advice. thanks
0
Comment
Question by:tech2010
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 3

Expert Comment

by:IamTheMorsa
ID: 35027436
If you have your users on a different network / vlan from your servers, then you could just put a rule on the ISA server that denies all traffic from the user network to access port 80, 443, etc.  If you have everything on the same network, then it gets a little harder, but its still do-able, just need to get a little crafty with the access rules.
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 35027481
If you have domain controllers,  push the rule to go via the DC  to your users. In the ASA allow only traffic sourced from ISA server IP to go outside and the rest is dropped.

Remember, that you will need a domain controller who is controlling your lan, only then it's possible. Else, put the ACL in the ASA and drop a company wide message/email  to make the user browser pointed to ISA server IP.  Anyone who doesn't do that will not be able to go out.

Best,


0
 

Author Comment

by:tech2010
ID: 35027487
users are on the same network as ISA so need to know what are the access rules need to be in place?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 3

Expert Comment

by:IamTheMorsa
ID: 35027543
Are you using DHCP to assign IP's for the users?  IF so, then add that range to be blocked at the firewall.  This will stop rouge users from trying to get on the Internet directly.
0
 
LVL 1

Expert Comment

by:rwellender
ID: 35027677
A simple access list and access group should block all but the proxy server:

access-list outbound permit ip host (ip address of the proxy server) any

access-group outbound in interface (name of inside interface)

Of course, you may want to add any other servers/IPs or protocols that need access out.  The implied "deny all" will block everything else out bound, so you may need to review whatever else is on the network besides users.

In adidtion, do your users have an internal DNS server?  If not, add the following:

access-list outbound permit ip any any eq dns

That would allows DNS queries outbound.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35028006
I assume you have a single nic ISA Server acting JUST as a proxy rather than a two-nic ISA Server acting as a firewall/proxy?
This being the case you cannot simply drop an ACL onto the PIX as some of the traffic will not necessarily use the ISA's NAT address.

I am already struggling with the concept that you would allow ANYONE to simply plug their computer into your internal network in the first place but hey it's your network, your responsibility.
0
 

Author Comment

by:tech2010
ID: 35028164
Thanks rwellender, our proxy server is not on the DMZ but on the same LAN subnet where other users are on the same network. so should this access-list rule still apply? so basically you are saying to block the whole LAN IPs or DHCP pool IPs using this access list and just allow proxy server and other servers who needs access to the internet directly?

Also I did not understand about what you saying about DNS. You have internal DNS server like any other companies which resolves netbios names and any internet addresses.  so i guess i will need to allow DNS servers so that DNS servers can go the internet to resolve names outbound?
0
 

Author Comment

by:tech2010
ID: 35028186
yes i have single NIC on the proxy server as any other computer on the network.
0
 
LVL 1

Expert Comment

by:rwellender
ID: 35028282
Simple answers, yes, yes and yes.  

The access list would apply on the inside interface. (Same LAN subnet).  The approach is to block everything and then allow only what needs outbound access.  

Another approach would be to block just the DHCP range and allow everything else, but the drawback would be the users that are technical enough to assign static IP's on their PCs outside of the DHCP range.  

On the DNS question, you are correct, the DNS servers would need access outbound.  You can either provide access for any IP protocol or restrict to just the tcp and udp ports they need.  I would recommend giving the servers full IP access outbound.
0
 

Author Comment

by:tech2010
ID: 35028588
so are the lines below enough or please add or correct any missing bits

access-list outbound permit ip host (ip address of the proxy server) any
access-list outbound permit ip host (ip address of the web server) any
access-list outbound permit ip host (ip address of the DNS server) any
access-group outbound in interface (name of inside interface)

where did we specify to block everything else? do i need this line "access-list outbound permit ip any any eq dns" ?
0
 
LVL 1

Expert Comment

by:rwellender
ID: 35028711
The 'access-list outbound deny ip any any' is implied at the end of the access-list.  You don't have to add it, it is a logical part of any access list.

The entry for permit any any eq DNS would be needed only if you had all PC's pulling DNS information from an oiutside surce, since you use internal DNS, you don't need it.
0
 

Author Comment

by:tech2010
ID: 35029008
Ah. ic intresting. So presently i dont have any access-list for outbound and as soon as i will add these outbound permit statement it will assume to block everything else by itself?

i would like to create object-group and specify all IP address in their and then just use 1 line for access-list outbound permit ip object-group and then access-group outbound to apply on inside interface
0
 
LVL 1

Accepted Solution

by:
rwellender earned 500 total points
ID: 35029210
Yes, on Cisco access lists, the deny all is implied at the end.

An example for using the object group would be:
(Servers can be changed to any name you want)

object-group network Servers
 description allowed IPs
 network-object 10.x.x.x 255.255.255.255 (to permit 1 host)
 network-object 10.x.x.x 255.255.255.0 (to permit a range)

access-list outbound extended permit IP object-group Servers any

access-group outbound in interface inside
0
 

Author Comment

by:tech2010
ID: 35031058
Great Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OnPage: Incident management and secure messaging on your smartphone
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question