Re: Proxy server

nice and simple, but this will restrict everything else like telnet, ICMP,
isn't it ?and shall we only allow tcp port 8080 ?
because i'm using a proxy with 80 port
so i do 2 statements

access-list 101 permit tcp host proxy_IP any eq www
access-list 101 permit tcp host proxy_IP any eq 8080
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq 8080
access-list 101 permit ip any any

what do you think ?

On Tue, Jun 23, 2009 at 6:03 PM, Steve Means <smeans_at_ccbootcamp.com> wrote:

> I've got a firewall config for you:
>
> access-list INSIDE permit tcp any host x.x.x.x eq 8080 (where x.x.x.x is
> the IP of your proxy and 8080 is the port)
> access-list INSIDE deny ip any any log
> !
> access-group INSIDE in interface inside
>
> Meaning do not allow internal users to go to the web AT ALL, only to the
> proxy. It always amazes me when people have restrictive outside->in policy
> but not the other way around. Least access principal. Poke holes if you have
> to for job functions, but at least start by locking down access. Of course
> the use of this depends on your existing access policy, hopefully you have a
> written one. :D
>
> WCCP and PBR are other solutions, but then they still have access out for
> things other than HTTP. This leaves you with the possibilty of private
> proxy/reverse proxy and any number of other workarounds.
>
> Steve Means
> Security Instructor/Consultant
> smeans_at_ccbootcamp.com
> CCBOOTCAMP - A Cisco Learning Partner
> 877.654.2243 Toll Free
> +1.702.968.5100 Direct Outside the USA
> +1.702.446.0357 Fax
> YES! We take Cisco Learning Credits
>
> ------------------------------
> *From:* nobody_at_groupstudy.com on behalf of Dale Shaw
> *Sent:* Tue 6/23/2009 5:10 AM
> *To:* Ali El Moussaoui
> *Cc:* omar maiah; ccielab_at_groupstudy.com
> *Subject:* Re: Proxy server
>
> Hi Ali,
>
> On Tue, Jun 23, 2009 at 10:03 PM, Ali El Moussaoui<mousawi.ali_at_gmail.com>
> wrote:
> > Oh Really! Man i tried it on 3750 (Metro) and 2960 and couldnt find it .
> Ya
> > true this feature is not really well documented. One big problem i faced
> > with WCCP is that Router ID can not be hard coded , its automatically
> > computed and i dont like it!!!
> > Ali
>
> Yeah. On the 3750 you need to use the 'routing' SDM template to make
> it work (like PBR), but it does work. You need to use L2 redirect and
> mask assign, you can't use 'redirect out' and you need to be careful
> what your ACL does if you use a redirect-list (traffic can be punted
> to the CPU for processing, which kills performance) -- those are just
> the restrictions that come to mind. It's a similar story on the 6500.
>
> On Tue, Jun 23, 2009 at 10:06 PM, omar maiah<omar.maiah_at_gmail.com> wrote:
> > another question maybe its silly but i don't have a clue about proxy
> > servers,
> > when a user send an http request using a proxy, does the proxy change the
> > source or the destination IP address ?
>
> When using a proxy in non-transparent mode (i.e. the client is
> explicitly configured with the proxy's IP and port), the client makes
> a TCP connection with the proxy, issues the request (e.g. HTTP GET),
> then the proxy server establishes a second connection to the
> destination server. There are two (or more, depending on HTTP)
> separate TCP connections involved. The destination server sees the
> request coming from the proxy server, not the original client,
> although it is possible through HTTP headers for the destination
> server to know the connection was proxied.
>
> cheers,
> Dale
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Eng. Omar Ma'ayah
Blogs and organic groups at http://www.ccie.net