From: Ellen K. 

Wow, thanks for the very clear explanation.   (Except I don't know what
"private IP addressing" means.)

So this does require a "proxy server".   Is that software that we buy?
Or does it mean how you configure that particular box?   Or is it
another type of device?

There are only a couple of addresses we want to let the users get to, I
wouldn't see a problem configuring rules for them.

But I think it could be a big problem to start over with the IP addresses
as you are suggesting... I know for example that a lot of our servers have
addresses in the 10's, and some people program to those IP addresses.


On Mon, 28 Mar 2005 08:03:17 -0800, Chris  wrote in
message :

>Having managed a network behind a Pix 515 and a Pix 515e, I do know what
>you are talking about.  There is an easy solution to the internet
>access, IF you want to block ALL internet access for those users.  Let
>me explain, with the following assumptions:
>
>1) You are using private IP addressing
>2) Your managers are using a different IP subnet than the users who
>should not have "unrestricted" access.
>
>Here is how I might try it (based on the assumptions and information I
>have):
>
>Management all uses addresses in the 192.168.1.0/24 subnet (253 possible
>addresses for use)
>The "Users" (those with restricted internet access) are on 10.0.0.0/24.
>
>Have a proxy server at 192.168.1.2.
>On the firewall, enable the filters (called Access Control Lists, or
>ACLs) to PERMIT unrestricted access on the internal port I to the
>external port E from the source address range of 192.168.1.0/24
>(255.255.255.0).
>Add ACL rules to the firewall that DENY any internet access from the IP
>range 10.0.0.0/24 (255.255.255.0).  Force their browsers to look to the
>proxy on 192.168.1.2 for internet access.  IF there is a specific site
>that you don't mind them going to and you know the IP address, you CAN
>create rules to permit that traffic as well, but a proxy server sounds
>like a better solution for a large number of users, otherwise you will
>be forever editing those ACLs.
>
>Does this help?  If you want more info, please email me at
>NOchris{at}SPk7sle.AMcom.  Take out the capital letters from the email address.
>
>/Chris
>
>Ellen K. wrote:
>> OK, I'm starting to get it.  So a "proxy server" can be
all software?
>>
>> Well, the reason the two cases seemed similar to me is that they both
>> require the firewall to know more than IP addresses.   But it does seem
>> like having to know who is trying to access you is harder than knowing
>> whom to access.
>>
>> No idea whether pix provides a proxy and maybe the guy in charge of it
>> doesn't know either, he was the one who said the internal IP addresses
>> would have to be fixed.   I do know that it lets you configure rules on
>> a port-by-port basis which can be IP-address-based and/or time-based, I
>> found that out when I was researching our FTP practices.
>>
>> On Sun, 27 Mar 2005 17:40:30 -0800, "Rich" 
wrote in message
>> :
>>
>>
>>>  The proxy server is what enforces the rules on what can or can not be
accessed.  How you do this depends on the proxy server used.  Whatever
component knows about internal IP addresses would know about users instead.
>>>
>>>  Using static IP for the proxy is more like the reverse of the
pcaw issue.
For pcaw you want to be able to access this machine from your client
system. For the proxy, it doesn't want to access the internal machines. 
They access it.  It would use this information to apply its machine access
rules.
>>>
>>>  I don't know pix other than that it is a firewall.  Does it provide a
proxy too?
>>>
>>>Rich
>>>
>>> "Ellen K."
 wrote in message
news:cdme41h26mnfona6m5sttd6huae03q9mvr{at}4ax.com...
>>> Where does the authentication happen then?   Does the firewall have to
>>> know who all the users are?    Do you feel up to explaining in simple
>>> terms what a proxy server is?
>>>
>>> Re the pcAW, it sounds similar to what you are saying about the other
>>> question, i.e. if the firewall knows the machines by name, it doesn't
>>> have to know their internal IP address.   Is that correct?   This
>>> similarilty leads me to question whether maybe our firewall -- or the
>>> person in charge of it -- only knows how to deal with IP addresses.  It
>>> is a Pix firewall.
>>>
>>> On Sun, 27 Mar 2005 17:01:53 -0800, "Rich" 
wrote in message
>>> :
>>>
>>> >   I agree with the proxy though not the fixed address.  Use proxy
authentication so that the rules apply to users and not the computers.
>>> >
>>> >   You shouldn't need a fixed internal IP for pcAW unless
this is a pcAW
restriction.  As long as you have dynamic DNS or similar internal name
resolution you should be able to use a dynamic address.  Just refer to the
machine by name instead of IP.
>>> >
>>> >Rich
>>> >
>>> >  "Ellen K."
 wrote in message
news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
>>> >  Not my area of responsibility but I always like to help if I can:
>>> >  We want to restrict the rank-and-file users to a few
allowed sites like
>>> >  FedEx and UPS.  In our morning briefing the other day it
was stated that
>>> >  everyone would have to have fixed IP addresses to do
this (that part I
>>> >  understand, since the restrictions are not to apply to
everyone) and we
>>> >  would have to have a proxy server.
>>> >
>>> >  I actually don't know what a proxy server even is, but
the IT director
>>> >  said it's complicated.   So first of all, is it true
that we would need
>>> >  a proxy server?   And secondly, if so, is it complicated?
>>> >
>>> >  Alternatively, is there any other way to do it?  We want
to leave people
>>> >  like directors and IT with full internet access.   Most
boxes have no
>>> >  external IP address and a dynamic internal one.  The
only ones with
>>> >  fixed internal ones are people who pcAW in to their
desktop, which for
>>> >  all I know might only be me because when they set up an additional
>>> >  desktop for me recently they left the internal address
dynamic and I
>>> >  couldn't get to it.
>>
>>

--- BBBS/NT v4.01 Flag-5