Cisco ASA 5520

5 pts.
Tags:
Cisco ASA
Cisco Firewall
I have a Cisco ASA 5520 as my firewall and a proxy server. I want all users to access internet via proxy server but some users change their gateway to Cisco ASA and access web without being filtered. How can I block these users to use proxy server only?

Software/Hardware used:
Hardware

Answer Wiki

Thanks. We'll let you know when a new response is added.

To stop this immediately, create an access list on the ASA that only allows traffic to come from the IP address of the Proxy server. You may also need to allow some specific traffic from other servers, to allow for services such as software updates, NTP or others.

Better will be to separate the Internet access into a separate VLAN. First create the new VLAN on your network switches that connect to the server and to the ASA, and all those in between. Then change the ASA interface to a switch port in this new VLAN, and change the IP address to a new subnet for this VLAN. Next, if the interface card in the server supports this, create a new connection in a sparate subnet between the server and the ASA, and change the default gateway of the Proxy server to the new IP of the ASA in this new subnet. You can also do this using a second interface card in the server, if the existing interface card in the server do not directly support VLANs.

This will stop people bypassing the proxy. If other servers need the direct access described above, then each will need the second card, or will need to have access to the new VLAN.

Please note. If you create a new subnet for this, you may need to make some other changes to the configuration of the ASA that reference the existing subnet. The most likely is to change the subnet used in the NAT command, but there may be others as well.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following