You can do this, but there are some issues you are likely not aware of that you will need to address first.
The issue you are going to have with the PIX inline with a Proxy Server however is going to be with NAT and PAT.
A Proxy Server is essentially a “PAT BOX”. Proxy’s use PAT to allow the “many to one” scenario. The PIX likewise uses NAT and PAT.
The problem you will run into is often referred to as “double NAT”. NATPAT tables can get screwed up as varying RANDOM port numbers are assigned by the two devices performing NATPAT along the path. You will have to NATPAT on the PIX if it is the perimeter device where your registered IP’s are applied if you want your hosts to get to the Internet. This can interfere with some applications and will definitely slow down your Internet as PAT and NAT do their thing. And of course you can?t implement a Proxy Server without the use of PAT. Without PAT the proxy?s not a proxy.
It?s kind of a catch 22. You can?t turn off PAT on the proxy if you want it to actually Proxy, and if you want to use your IANA registered addresses to surf the web, then you won?t be able to turn off NAT on the PIX (something you can do if using private addresses on both interfaces, or if you have registered addresses on the inside).
As far as your question on how to restrict the traffic to certain hosts, well thats the easy part. Just allow NAT to the address of your Proxy?s outside interface, or use an outbound ACL permitting only traffic from the Proxy to the Internet. (I would stay away from outbound ACL?s as they tend to be problematic).
But your real issue is not restricting traffic, it?s using NAT and PAT through these 2 devices.
Let me be clear, you CAN double NAT if you want to. I see it all the time. But it will slow down your Internet, and cause plenty of errors and dropped connections, and some traffic will not work at all. Double NAT is a just a bad way to fly.