RE: Proxy server

I've got a firewall config for you:

access-list INSIDE permit tcp any host x.x.x.x eq 8080 (where x.x.x.x is the
IP of your proxy and 8080 is the port)
access-list INSIDE deny ip any any log
!
access-group INSIDE in interface inside

Meaning do not allow internal users to go to the web AT ALL, only to the
proxy. It always amazes me when people have restrictive outside->in policy but
not the other way around. Least access principal. Poke holes if you have to
for job functions, but at least start by locking down access. Of course the
use of this depends on your existing access policy, hopefully you have a
written one. :D

WCCP and PBR are other solutions, but then they still have access out for
things other than HTTP. This leaves you with the possibilty of private
proxy/reverse proxy and any number of other workarounds.

Steve Means
Security Instructor/Consultant
smeans_at_ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits

________________________________

From: nobody_at_groupstudy.com on behalf of Dale Shaw
Sent: Tue 6/23/2009 5:10 AM
To: Ali El Moussaoui
Cc: omar maiah; ccielab_at_groupstudy.com
Subject: Re: Proxy server

Hi Ali,

On Tue, Jun 23, 2009 at 10:03 PM, Ali El Moussaoui<mousawi.ali_at_gmail.com>
wrote:
> Oh Really! Man i tried it on 3750 (Metro) and 2960 and couldnt find it . Ya
> true this feature is not really well documented. One big problem i faced
> with WCCP is that Router ID can not be hard coded , its automatically
> computed and i dont like it!!!
> Ali

Yeah. On the 3750 you need to use the 'routing' SDM template to make
it work (like PBR), but it does work. You need to use L2 redirect and
mask assign, you can't use 'redirect out' and you need to be careful
what your ACL does if you use a redirect-list (traffic can be punted
to the CPU for processing, which kills performance) -- those are just
the restrictions that come to mind. It's a similar story on the 6500.

On Tue, Jun 23, 2009 at 10:06 PM, omar maiah<omar.maiah_at_gmail.com> wrote:
> another question maybe its silly but i don't have a clue about proxy
> servers,
> when a user send an http request using a proxy, does the proxy change the
> source or the destination IP address ?

When using a proxy in non-transparent mode (i.e. the client is
explicitly configured with the proxy's IP and port), the client makes
a TCP connection with the proxy, issues the request (e.g. HTTP GET),
then the proxy server establishes a second connection to the
destination server. There are two (or more, depending on HTTP)
separate TCP connections involved. The destination server sees the
request coming from the proxy server, not the original client,
although it is possible through HTTP headers for the destination
server to know the connection was proxied.

cheers,
Dale

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Tue Jun 23 2009 - 07:03:23 ART