Announcement

Collapse
No announcement yet.

Firewall / Proxy server rules logic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Firewall / Proxy server rules logic

    Hi all.

    I'm confused (as ususal). All I'm trying to do is stop access to the internet unless it's via the proxy using rules on a Cisco Pix 515.

    No matter what I do something seems to stop working. I'd like to have all other outgoing ports open as a catch all.

    What really gets me is that sometimes it looks like it's working and then I find something that doesn't work and the only way I can seem to get it to work is to delete the outbound rules so the implicit rule kicks in.

    What I need is just the logic rules i.e. this morning I tried;

    An allow rule for the proxy server outbound for all ports.
    A deny rule for port 80 for all internal addresses.
    An allow rule for all ports for all internal addresses.

    I know the rules above conflict and I'm not sure how the PIX resolves them.

    I think part of the issue could be the proxy (ISA 2000 I think) as I can't tell if pages are coming cached from the proxy or from the web (hence why some sites work and others dont?)....

  • #2
    Re: Firewall / Proxy server rules logic

    Hi chief007,

    Thanks for your post!

    Hmm, If you only want the proxy server to be able to access the Internet and you want all clients to go through the proxy server for web access, then the rule on the PIX should be to permit any for the proxy server (and have a NAT). Or, if you only want web browsing, you could just permit 80 and 443 for the proxy server.

    On the proxy server, you could turn off caching to ensure that you are only getting current pages.

    Also, on ISA, are you only using web proxy or do you have secure NAT or the firewall client turned on?

    Please post your PIX ACL.

    Thanks,
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: Firewall / Proxy server rules logic

      Hi David,

      If I set up an allow all rule for the proxy server will this remove the implicit outbound rule? The problem is that the developers use lots of apps that use bespoke ports so they need all (other) ports open outbound.

      How can I achieve this while still allowing Http and SSL through only the proxy?

      The ISA server is caching only.

      Comment


      • #4
        Re: Firewall / Proxy server rules logic

        There are many functioning ways to do what you are trying to do.

        At one point, my company only used ISA for all internet access. In doing so, we had the same issues. We had some people that only needed web browsing and others that needed full access (because they had so many apps with non-standard ports).

        What we did was to enable web proxy on ISA and configure all web browsers pointing to the proxy server (including developers).

        Then on the developers (non-standard ports), we installed the ISA firewall client. This allowed them full internet access.

        Alternatively,
        Another way would be to create a PAT pool on the pix for the IP's that the developers use and create a stateful ACL for full internet access. Then, use web proxy for everyone else.

        On the ISA server, a benefit to using web proxy is that there are benefits to using web proxy for web browsing - for reporting and add-in modules, if you are trying to track or restrict web browsing using ISA web proxy.

        I hope that makes some sense and is helpful. Let me know if you have any more questions!

        Thanks
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: Firewall / Proxy server rules logic

          Cracked it. I think the "Allow all" outbound rule was defaulting to tcp rather than IP which was stopping DNS resolution.

          So in the end it took 4 rules
          1. Allow all outbound IP for the proxy server
          2. Block outbound http (port 80) for all clients
          3. Block outbound https for all clients
          4. Allow all outbound IP for all clients

          And that seems to work.

          Comment


          • #6
            Re: Firewall / Proxy server rules logic

            Hi Chief,

            That's great news!

            Thanks for your question,
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment

            Working...
            X