From: Chris 

Having managed a network behind a Pix 515 and a Pix 515e, I do know what
you are talking about.  There is an easy solution to the internet access,
IF you want to block ALL internet access for those users.  Let me explain,
with the following assumptions:

1) You are using private IP addressing 2) Your managers are using a
different IP subnet than the users who should not have
"unrestricted" access.

Here is how I might try it (based on the assumptions and information I have):

Management all uses addresses in the 192.168.1.0/24 subnet (253 possible
addresses for use)
The "Users" (those with restricted internet access) are on 10.0.0.0/24.

Have a proxy server at 192.168.1.2. On the firewall, enable the filters
(called Access Control Lists, or ACLs) to PERMIT unrestricted access on the
internal port I to the external port E from the source address range of
192.168.1.0/24 (255.255.255.0).
Add ACL rules to the firewall that DENY any internet access from the IP
range 10.0.0.0/24 (255.255.255.0).  Force their browsers to look to the
proxy on 192.168.1.2 for internet access.  IF there is a specific site that
you don't mind them going to and you know the IP address, you CAN create
rules to permit that traffic as well, but a proxy server sounds like a
better solution for a large number of users, otherwise you will be forever
editing those ACLs.

Does this help?  If you want more info, please email me at
NOchris{at}SPk7sle.AMcom.  Take out the capital letters from the email
address.

/Chris

Ellen K. wrote:
> OK, I'm starting to get it.  So a "proxy server" can be all software?
>
> Well, the reason the two cases seemed similar to me is that they both
> require the firewall to know more than IP addresses.   But it does seem
> like having to know who is trying to access you is harder than knowing
> whom to access.
>
> No idea whether pix provides a proxy and maybe the guy in charge of it
> doesn't know either, he was the one who said the internal IP addresses
> would have to be fixed.   I do know that it lets you configure rules on
> a port-by-port basis which can be IP-address-based and/or time-based, I
> found that out when I was researching our FTP practices.
>
> On Sun, 27 Mar 2005 17:40:30 -0800, "Rich"  wrote in message
> :
>
>
>>  The proxy server is what enforces the rules on what can or can not be
accessed.  How you do this depends on the proxy server used.  Whatever
component knows about internal IP addresses would know about users instead.
>>
>>  Using static IP for the proxy is more like the reverse of the pcaw issue.
For pcaw you want to be able to access this machine from your client
system. For the proxy, it doesn't want to access the internal machines. 
They access it.  It would use this information to apply its machine access
rules.
>>
>>  I don't know pix other than that it is a firewall.  Does it provide a proxy
too?
>>
>>Rich
>>
>> "Ellen K."
 wrote in message
news:cdme41h26mnfona6m5sttd6huae03q9mvr{at}4ax.com...
>> Where does the authentication happen then?   Does the firewall have to
>> know who all the users are?    Do you feel up to explaining in simple
>> terms what a proxy server is?
>>
>> Re the pcAW, it sounds similar to what you are saying about the other
>> question, i.e. if the firewall knows the machines by name, it doesn't
>> have to know their internal IP address.   Is that correct?   This
>> similarilty leads me to question whether maybe our firewall -- or the
>> person in charge of it -- only knows how to deal with IP addresses.  It
>> is a Pix firewall.
>>
>> On Sun, 27 Mar 2005 17:01:53 -0800, "Rich" 
wrote in message
>> :
>>
>> >   I agree with the proxy though not the fixed address.  Use proxy
authentication so that the rules apply to users and not the computers.
>> >
>> >   You shouldn't need a fixed internal IP for pcAW unless this is a pcAW
restriction.  As long as you have dynamic DNS or similar internal name
resolution you should be able to use a dynamic address.  Just refer to the
machine by name instead of IP.
>> >
>> >Rich
>> >
>> >  "Ellen K."
 wrote in message
news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
>> >  Not my area of responsibility but I always like to help if I can:
>> >  We want to restrict the rank-and-file users to a few allowed
sites like
>> >  FedEx and UPS.  In our morning briefing the other day it was
stated that
>> >  everyone would have to have fixed IP addresses to do this (that part I
>> >  understand, since the restrictions are not to apply to
everyone) and we
>> >  would have to have a proxy server.
>> >
>> >  I actually don't know what a proxy server even is, but the IT director
>> >  said it's complicated.   So first of all, is it true that we
would need
>> >  a proxy server?   And secondly, if so, is it complicated?
>> >
>> >  Alternatively, is there any other way to do it?  We want to
leave people
>> >  like directors and IT with full internet access.   Most boxes have no
>> >  external IP address and a dynamic internal one.  The only ones with
>> >  fixed internal ones are people who pcAW in to their desktop, which for
>> >  all I know might only be me because when they set up an additional
>> >  desktop for me recently they left the internal address dynamic and I
>> >  couldn't get to it.
>
>

--- BBBS/NT v4.01 Flag-5