Allowing an application to go direct rather than using the proxy

I was faced with a problem the other day, where a user wanted to use an application from one of our remote offices. This particular application requires internet access in order to authenticate the license. Due to our setup, we do not allow users internet access locally from the office.  I first tried to edit the proxy.pac to allow the application to go direct, which didn’t work. I then realised that a hole had to be made in the firewall in order to allow the application to go directly through the firewall.

So if you want to do this with a Cisco PIX, then it can be done easily via the command line (as an example, I will use the Google Earth app as the external hosts are well documented):

Step 1: Create a new object group:
object-group network GoogleEarth

Step 2: Add a description onto the object group:
description Google Earth Hosts

Step 3: Create a network object for each destination IP that your application needs to go direct:
network-object 64.233.183.190 255.255.255.255
network-object 64.233.183.93 255.255.255.255
network-object 64.233.183.91 255.255.255.255
network-object 64.233.183.136 255.255.255.255
network-object 65.87.18.132 255.255.255.255
network-object 65.87.18.134 255.255.255.255

Step 4: Create an ACL so that the PIX knows what to do when the object is fired:
access-list inside_access_in remark Unrestricted outbound access to Google Earth
access-list inside_access_in permit tcp any object-group GoogleEarth

Step 5: Create pdm’s for each IP Address listed in Step 3, whilst stating what Interface the IP is on:
pdm location 64.233.183.190 255.255.255.255 outside
pdm location 64.233.183.93 255.255.255.255 outside
pdm location 64.233.183.91 255.255.255.255 outside
pdm location 64.233.183.136 255.255.255.255 outside
pdm location 65.87.18.132 255.255.255.255 outside
pdm location 65.87.18.134 255.255.255.255 outside
pdm group GoogleEarth outside

Don’t forget that if you use a proxy.pac, to set the following Google Earth external hosts to go direct:
http://kh.google.com/
http://geo.keyhole.com/
http://auth.keyhole.com/

There isn’t much documentation on configuring the Cisco PIX, so I hope this helps someone!

Leave a Reply

Your email address will not be published. Required fields are marked *