We have recently had an internal problem with staff accessing certain 'social' websites within the office. My supervisor has asked me if we can easily block access to these types of sites using our current hardware. Is this possible or will we need to acquire another device?
Yes, it will work as long as the access is http only, add https if necessary or just change it to ip.
access-list 300 deny ip any 184.108.40.206 255.255.255.255
access-list 300 deny ip any 220.127.116.11 255.255.255.255
access-list 300 deny ip any 18.104.22.168 255.255.255.255
access-list 300 deny ip any 22.214.171.124 255.255.255.255
access-list 300 deny ip any 126.96.36.199 255.255.255.255
access-list 300 deny ip any 188.8.131.52 255.255.255.255
access-list 300 permit ip any any
access-group 300 in interface inside
I agree with the previous poster. But if you only have a few of these 'social' sites, you could do it with your current PIX w/o too much administrative burden.
Use DNS (nslookup) to lookup the IP's of the sites you want blocked, and create an ACL and apply to the inside interface. You will have the burden yourself of making sure you keep the ACL's up to date.
if you have a Cisco IOS router through which all Internet bound traffic passes, you can create a policy map and/or route-map using nbar to match against a URL, and simply black hole/deny that traffic.
here's a sample of 'code red' blocking using these methods: