PIX 525: Prevent internal clients 'bypassing proxy'...

Discussion in 'Cisco' started by Martin, Jan 24, 2007.

  1. Martin

    Martin Guest

    Hi,

    I'm looking for some advice on the following problem:

    Our PIX 525's inside IP address can be added as a default gateway to
    Windows XP clients, so they can in effect, turn off their Internet
    Explorer proxy settings and enjoy a straight-out Internet connection.

    I want to exclude clients in the DHCP range from being able to do this,
    whilst still allowing servers in the rest of the scope to use the
    straight-out Internet connection. We also need to make sure we're not
    barring clients in the DHCP range from accessing the DMZ.

    The inside IP of the PIX is 10.123.30.253

    The DHCP range of the clients is 10.123.0.1 - 10.123.7.254
    (255.255.248.0)
    Servers start at 10.123.60.0 (255.255.0.0)

    The DMZ range is 10.124.16.0/255.255.255.0

    I was hoping to do this with access-lists, but my initial attempts
    would block clients access to the DMZ also. I was wondering if somebody
    might be able to point me in the right direction with this?

    Would be very appreciative of any advice.

    Thanks
     
    Martin, Jan 24, 2007
    #1
    1. Advertisements


  2. A simple example:

    access-list in2out permit ip 10.123.0.0 255.255.0.0 10.124.16.0 255.255.255.0
    access-list in2out deny ip 10.123.0.0 255.255.248.0 any
    access-list in2out permit ip 10.123.0.0 255.255.0.0 any
    access-group in2out in interface inside
     
    Jyri Korhonen, Jan 24, 2007
    #2
    1. Advertisements

  3. Martin

    Martin Guest

    Thanks for that, very useful! I was half-way there but was missing the
    point with the permit/deny structure. I've got it working now, and I
    understand where I went wrong.

    Thanks again.
     
    Martin, Jan 25, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.