Help needed with school DSL router configuration - Cisco 678 Fitler

Discussion in 'Cisco' started by Gerald Kelly, Sep 30, 2004.

  1. Gerald Kelly

    Gerald Kelly Guest

    We ordered DSL for our christian school. The DSL itself works great and is
    very fast.
    I was asked to set this up; however, they wanted two things done. One is
    to have a filter
    in place to protect the students and also to have access restrictions based
    on username/password.

    Our internet provider ( offers a filter which is based on
    Cerberian (
    The way in which you access it is through a proxy.

    concerning the access control that the school requested I chose to use
    ccproxy (
    This proxy is really simple to setup and use - and cheap.

    Since there are 2 proxies here, ccproxy can point to another proxy (cascaded
    proxy), I just pointed it to mstar's filter
    proxy and all is well.

    As you know the cisco 678 can be configured for PPP or Bridge Mode. I chose
    PPP mode because I wanted the
    cisco to have it's own IP address and sit on the network as opposed to
    hanging off a second network card on the server. The reason for this is
    that I wanted to do the following:
    - use the 678's DHCP server for the network computers
    - allow nat port mapping to allow me into the network remotely.

    Even though each computer on the network *could* have direct access to the
    internet for browsing the web, I wanted them to go through a proxy anyway to
    control access. CCProxy is thus installed on a "server" (Win2K pro)
    to act as the gateway.

    I was then going to set up the 678's filters to *only* allow only the Win2k
    server outoing TCP access for all ports
    through wan0-0. But allow everone to go "through" it it for ports 110 and
    143 (pop and imap) and possibly
    an intant messenger port.

    The problem was setting up the filter. I could never seem to get the right
    combination of "set filter" commands to
    work. Just when I thought I was getting close, all traffic was blocked.
    Finally, I gave up did temporary solution. I
    established a second *lan* and put the cisco on it an put a second network
    card in the *server* so it could sit
    on both networks. CCproxy worked fine in this scenario as well. btw, in
    case it isn't obvious, I did *not* set up
    ICS on the server. ccproxy was used instead. However, now the work
    stations do not have the ability to go out though port 110 or 143 unless I
    use ccproxy's way of handling that.

    My question is this: was what I was attempting reasonable? If not, what
    would have been a better plan?

    If it was reasonable, does anyone know the Cisco 678's "set filter" commands
    that would allow this?


    Gerald Kelly
    Gerald Kelly, Sep 30, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.