This is not full fledged Proxy. This I call it Stateful Proxy. Here right side of firewall is inside network. Left side is unsecure connection. Test was done with VMWARE host as inside host. and outside network was accessed via DSL connection with host host OS windows XP. And was successful. When accessing any website traffic was intercepted by security appliance. Asking for username and password. If not correct drop the connections. Here in this configuration cut thru proxy is used to intercept egress tcp connections only.
Configuration of Firewall:
hostname pixfirewall
domain-name default.domain.invalid
enable password oyM4X.DeOBQWUivD encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
nameif inside
security-level 100
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd Q6PcEw0JPNC8SDNU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list icmp_in extended permit icmp any any
access-list private_ip_from_outside extended deny ip 10.0.0.0 255.0.0.0 any
access-list private_ip_from_outside extended deny ip 172.16.0.0 255.248.0.0 any
access-list private_ip_from_outside extended permit icmp any any
access-list private_ip_from_outside extended deny tcp any any eq 445
access-list private_ip_from_outside extended deny tcp any any eq 137
access-list deny_inside_to_outside extended deny tcp 192.168.0.0 255.255.0.0 any eq 445
access-list deny_inside_to_outside extended permit ip any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
! for letting data traffic flow from inside to outside
global (outside) 1 192.168.1.100
global (outside) 1 192.168.1.101
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group private_ip_from_outside in interface outside
access-group deny_inside_to_outside in interface inside
! default route to outside hop ip i.e. 192.168.1.1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 3:00:00 absolute
dynamic-access-policy-record DfltAccessPolicy
! authentication based on service accessed in this case all tcp based services(i.e. http , ftp, telnet etc)
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication secure-http-client
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
!
!
No comments:
Post a Comment