Cisco ASA 5520
I have a Cisco ASA 5520 as my firewall and a proxy server. I want all users to access internet via proxy server but some users change their gateway to Cisco ASA and access web without being filtered. How can I block these users to use proxy server only?
Software/Hardware used:
Hardware
Software/Hardware used:
Hardware
ASKED:
January 2, 2013 3:57 AM
UPDATED:
January 2, 2013 1:34 PM
Answer Wiki:
To stop this immediately, create an access list on the ASA that only allows traffic to come from the IP address of the Proxy server. You may also need to allow some specific traffic from other servers, to allow for services such as software updates, NTP or others.
Better will be to separate the Internet access into a separate VLAN. First create the new VLAN on your network switches that connect to the server and to the ASA, and all those in between. Then change the ASA interface to a switch port in this new VLAN, and change the IP address to a new subnet for this VLAN. Next, if the interface card in the server supports this, create a new connection in a sparate subnet between the server and the ASA, and change the default gateway of the Proxy server to the new IP of the ASA in this new subnet. You can also do this using a second interface card in the server, if the existing interface card in the server do not directly support VLANs.
This will stop people bypassing the proxy. If other servers need the direct access described above, then each will need the second card, or will need to have access to the new VLAN.
Please note. If you create a new subnet for this, you may need to make some other changes to the configuration of the ASA that reference the existing subnet. The most likely is to change the subnet used in the NAT command, but there may be others as well.
To see all answers submitted to the Answer Wiki: View Answer History.
RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
