PIX 525: Prevent internal clients 'bypassing proxy'...

Discussion in 'Cisco' started by Martin, Jan 24, 2007.

  1. Martin

    Martin Guest

    Hi,

    I'm looking for some advice on the following problem:

    Our PIX 525's inside IP address can be added as a default gateway to
    Windows XP clients, so they can in effect, turn off their Internet
    Explorer proxy settings and enjoy a straight-out Internet connection.

    I want to exclude clients in the DHCP range from being able to do this,
    whilst still allowing servers in the rest of the scope to use the
    straight-out Internet connection. We also need to make sure we're not
    barring clients in the DHCP range from accessing the DMZ.

    The inside IP of the PIX is 10.123.30.253

    The DHCP range of the clients is 10.123.0.1 - 10.123.7.254
    (255.255.248.0)
    Servers start at 10.123.60.0 (255.255.0.0)

    The DMZ range is 10.124.16.0/255.255.255.0

    I was hoping to do this with access-lists, but my initial attempts
    would block clients access to the DMZ also. I was wondering if somebody
    might be able to point me in the right direction with this?

    Would be very appreciative of any advice.

    Thanks
     
    Martin, Jan 24, 2007
    #1
    1. Advertising

  2. "Martin" <> wrote:

    > Our PIX 525's inside IP address can be added as a default gateway to
    > Windows XP clients, so they can in effect, turn off their Internet
    > Explorer proxy settings and enjoy a straight-out Internet connection.
    >
    > I want to exclude clients in the DHCP range from being able to do this,
    > whilst still allowing servers in the rest of the scope to use the
    > straight-out Internet connection. We also need to make sure we're not
    > barring clients in the DHCP range from accessing the DMZ.
    >
    > The inside IP of the PIX is 10.123.30.253
    >
    > The DHCP range of the clients is 10.123.0.1 - 10.123.7.254
    > (255.255.248.0)
    > Servers start at 10.123.60.0 (255.255.0.0)
    >
    > The DMZ range is 10.124.16.0/255.255.255.0
    >
    > I was hoping to do this with access-lists, but my initial attempts
    > would block clients access to the DMZ also. I was wondering if somebody
    > might be able to point me in the right direction with this?



    A simple example:

    access-list in2out permit ip 10.123.0.0 255.255.0.0 10.124.16.0 255.255.255.0
    access-list in2out deny ip 10.123.0.0 255.255.248.0 any
    access-list in2out permit ip 10.123.0.0 255.255.0.0 any
    access-group in2out in interface inside
     
    Jyri Korhonen, Jan 24, 2007
    #2
    1. Advertising

  3. Martin

    Martin Guest

    Thanks for that, very useful! I was half-way there but was missing the
    point with the permit/deny structure. I've got it working now, and I
    understand where I went wrong.

    Thanks again.

    On 24 Jan, 15:13, "Jyri Korhonen" <>
    wrote:
    > "Martin" <> wrote:
    > > Our PIX 525's inside IP address can be added as a default gateway to
    > > Windows XP clients, so they can in effect, turn off their Internet
    > > Explorer proxy settings and enjoy a straight-out Internet connection.

    >
    > > I want to exclude clients in the DHCP range from being able to do this,
    > > whilst still allowing servers in the rest of the scope to use the
    > > straight-out Internet connection. We also need to make sure we're not
    > > barring clients in the DHCP range from accessing the DMZ.

    >
    > > The inside IP of the PIX is 10.123.30.253

    >
    > > The DHCP range of the clients is 10.123.0.1 - 10.123.7.254
    > > (255.255.248.0)
    > > Servers start at 10.123.60.0 (255.255.0.0)

    >
    > > The DMZ range is 10.124.16.0/255.255.255.0

    >
    > > I was hoping to do this with access-lists, but my initial attempts
    > > would block clients access to the DMZ also. I was wondering if somebody
    > > might be able to point me in the right direction with this?A simple example:

    >
    > access-list in2out permit ip 10.123.0.0 255.255.0.0 10.124.16.0 255.255.255.0
    > access-list in2out deny ip 10.123.0.0 255.255.248.0 any
    > access-list in2out permit ip 10.123.0.0 255.255.0.0 any
    > access-group in2out in interface inside
     
    Martin, Jan 25, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ka-50

    PIX 525 and two PIX-4FE-66=

    ka-50, Oct 19, 2004, in forum: Cisco
    Replies:
    1
    Views:
    580
    Walter Roberson
    Oct 19, 2004
  2. JoelSeph
    Replies:
    9
    Views:
    6,766
    JoelSeph
    Jan 23, 2006
  3. kylebelz

    Cisco Pix 525 - Static Nat not working to internal IP

    kylebelz, Dec 20, 2010, in forum: General Computer Support
    Replies:
    0
    Views:
    1,780
    kylebelz
    Dec 20, 2010
  4. kylebelz
    Replies:
    2
    Views:
    1,340
    kylebelz
    Dec 21, 2010
  5. kylebelz
    Replies:
    0
    Views:
    853
    kylebelz
    Dec 20, 2010
Loading...

Share This Page