06-05-2007 07:58 AM - edited 02-21-2020 01:33 AM
We have recently had an internal problem with staff accessing certain 'social' websites within the office. My supervisor has asked me if we can easily block access to these types of sites using our current hardware. Is this possible or will we need to acquire another device?
Thanks.
Solved! Go to Solution.
06-05-2007 03:03 PM
I agree with the previous poster. But if you only have a few of these 'social' sites, you could do it with your current PIX w/o too much administrative burden.
Use DNS (nslookup) to lookup the IP's of the sites you want blocked, and create an ACL and apply to the inside interface. You will have the burden yourself of making sure you keep the ACL's up to date.
or...............
if you have a Cisco IOS router through which all Internet bound traffic passes, you can create a policy map and/or route-map using nbar to match against a URL, and simply black hole/deny that traffic.
here's a sample of 'code red' blocking using these methods:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#methodb
06-12-2007 08:08 AM
Yes, it will work as long as the access is http only, add https if necessary or just change it to ip.
access-list 300 deny ip any 204.15.20.26 255.255.255.255
access-list 300 deny ip any 69.63.176.11 255.255.255.255
access-list 300 deny ip any 69.63.176.12 255.255.255.255
access-list 300 deny ip any 69.63.176.13 255.255.255.255
access-list 300 deny ip any 69.63.176.14 255.255.255.255
access-list 300 deny ip any 204.15.20.25 255.255.255.255
access-list 300 permit ip any any
access-group 300 in interface inside
06-05-2007 08:23 AM
You probably could but I wouldn't want to - waaaay too much work. Websense, SurfControl, 8e6 Technologies, St. Bernard Software - all make Web Access Control systems that do that. We have Websense (which is buying SurfControl, I think) and it works well, and I've used 8e6 and iPrism by St. Bernard - all work well, have relative pro's and con's. All will do evals I'm sure. I think St. Bernard now has a "service" they offer to fully manage the system for you, intended for SMB.
HTH please rate posts.
Paul
06-05-2007 03:03 PM
I agree with the previous poster. But if you only have a few of these 'social' sites, you could do it with your current PIX w/o too much administrative burden.
Use DNS (nslookup) to lookup the IP's of the sites you want blocked, and create an ACL and apply to the inside interface. You will have the burden yourself of making sure you keep the ACL's up to date.
or...............
if you have a Cisco IOS router through which all Internet bound traffic passes, you can create a policy map and/or route-map using nbar to match against a URL, and simply black hole/deny that traffic.
here's a sample of 'code red' blocking using these methods:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#methodb
06-12-2007 07:34 AM
Yes, I only need to block a few. So to add these ACLs I would need to add to my config:
access-list 300 permit tcp any any eq 80
Then add these to deny access to facebook.com:
access-list 300 deny tcp 204.15.20.26 255.255.255.255 any eq 80
access-list 300 deny tcp 69.63.176.11 255.255.255.255 any eq 80
access-list 300 deny tcp 69.63.176.12 255.255.255.255 any eq 80
access-list 300 deny tcp 69.63.176.13 255.255.255.255 any eq 80
access-list 300 deny tcp 69.63.176.14 255.255.255.255 any eq 80
access-list 300 deny tcp 204.15.20.25 255.255.255.255 any eq 80
Then add this line to activate it:
access-group 300 in interface inside
I've not done this before so I don't want to screw it up. And thanks for your help.
06-12-2007 07:42 AM
You've got it reversed..do you have an existing acl on your inside interface?
access-list 300 deny tcp any 204.15.20.26 255.255.255.255 eq 80
access-list 300 deny tcp any 69.63.176.11 255.255.255.255 eq 80
access-list 300 deny tcp any 69.63.176.12 255.255.255.255 eq 80
access-list 300 deny tcp any 69.63.176.13 255.255.255.255 eq 80
access-list 300 deny tcp any 69.63.176.14 255.255.255.255 eq 80
access-list 300 deny tcp any 204.15.20.25 255.255.255.255 eq 80
access-list 300 permit ip any any
access-group 300 in interface inside
06-12-2007 08:04 AM
You are correct, I currently have no acl on my inside interface. So what you supplied should work for me?
06-12-2007 08:08 AM
Yes, it will work as long as the access is http only, add https if necessary or just change it to ip.
access-list 300 deny ip any 204.15.20.26 255.255.255.255
access-list 300 deny ip any 69.63.176.11 255.255.255.255
access-list 300 deny ip any 69.63.176.12 255.255.255.255
access-list 300 deny ip any 69.63.176.13 255.255.255.255
access-list 300 deny ip any 69.63.176.14 255.255.255.255
access-list 300 deny ip any 204.15.20.25 255.255.255.255
access-list 300 permit ip any any
access-group 300 in interface inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide