Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1902
Views
3
Helpful
6
Replies

PIX 515E: Blocking access to external websites

Go to solution
cbonthron
Level 1
Level 1

‎06-05-2007 07:58 AM - edited ‎02-21-2020 01:33 AM

We have recently had an internal problem with staff accessing certain 'social' websites within the office. My supervisor has asked me if we can easily block access to these types of sites using our current hardware. Is this possible or will we need to acquire another device?

Thanks.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
srue
Level 7
Level 7
In response to PAUL TRIVINO

‎06-05-2007 03:03 PM

I agree with the previous poster. But if you only have a few of these 'social' sites, you could do it with your current PIX w/o too much administrative burden.

Use DNS (nslookup) to lookup the IP's of the sites you want blocked, and create an ACL and apply to the inside interface. You will have the burden yourself of making sure you keep the ACL's up to date.

or...............

if you have a Cisco IOS router through which all Internet bound traffic passes, you can create a policy map and/or route-map using nbar to match against a URL, and simply black hole/deny that traffic.

here's a sample of 'code red' blocking using these methods:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#methodb

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to cbonthron

‎06-12-2007 08:08 AM

Yes, it will work as long as the access is http only, add https if necessary or just change it to ip.

access-list 300 deny ip any 204.15.20.26 255.255.255.255

access-list 300 deny ip any 69.63.176.11 255.255.255.255

access-list 300 deny ip any 69.63.176.12 255.255.255.255

access-list 300 deny ip any 69.63.176.13 255.255.255.255

access-list 300 deny ip any 69.63.176.14 255.255.255.255

access-list 300 deny ip any 204.15.20.25 255.255.255.255

access-list 300 permit ip any any

access-group 300 in interface inside

View solution in original post

0 Helpful
6 Replies 6

Go to solution
PAUL TRIVINO
Level 3
Level 3

‎06-05-2007 08:23 AM

You probably could but I wouldn't want to - waaaay too much work. Websense, SurfControl, 8e6 Technologies, St. Bernard Software - all make Web Access Control systems that do that. We have Websense (which is buying SurfControl, I think) and it works well, and I've used 8e6 and iPrism by St. Bernard - all work well, have relative pro's and con's. All will do evals I'm sure. I think St. Bernard now has a "service" they offer to fully manage the system for you, intended for SMB.

HTH please rate posts.

Paul

Go to solution
srue
Level 7
Level 7
In response to PAUL TRIVINO

‎06-05-2007 03:03 PM

I agree with the previous poster. But if you only have a few of these 'social' sites, you could do it with your current PIX w/o too much administrative burden.

Use DNS (nslookup) to lookup the IP's of the sites you want blocked, and create an ACL and apply to the inside interface. You will have the burden yourself of making sure you keep the ACL's up to date.

or...............

if you have a Cisco IOS router through which all Internet bound traffic passes, you can create a policy map and/or route-map using nbar to match against a URL, and simply black hole/deny that traffic.

here's a sample of 'code red' blocking using these methods:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#methodb

0 Helpful

Go to solution
cbonthron
Level 1
Level 1
In response to srue

‎06-12-2007 07:34 AM

Yes, I only need to block a few. So to add these ACLs I would need to add to my config:

access-list 300 permit tcp any any eq 80

Then add these to deny access to facebook.com:

access-list 300 deny tcp 204.15.20.26 255.255.255.255 any eq 80

access-list 300 deny tcp 69.63.176.11 255.255.255.255 any eq 80

access-list 300 deny tcp 69.63.176.12 255.255.255.255 any eq 80

access-list 300 deny tcp 69.63.176.13 255.255.255.255 any eq 80

access-list 300 deny tcp 69.63.176.14 255.255.255.255 any eq 80

access-list 300 deny tcp 204.15.20.25 255.255.255.255 any eq 80

Then add this line to activate it:

access-group 300 in interface inside

I've not done this before so I don't want to screw it up. And thanks for your help.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to cbonthron

‎06-12-2007 07:42 AM

You've got it reversed..do you have an existing acl on your inside interface?

access-list 300 deny tcp any 204.15.20.26 255.255.255.255 eq 80

access-list 300 deny tcp any 69.63.176.11 255.255.255.255 eq 80

access-list 300 deny tcp any 69.63.176.12 255.255.255.255 eq 80

access-list 300 deny tcp any 69.63.176.13 255.255.255.255 eq 80

access-list 300 deny tcp any 69.63.176.14 255.255.255.255 eq 80

access-list 300 deny tcp any 204.15.20.25 255.255.255.255 eq 80

access-list 300 permit ip any any

access-group 300 in interface inside

0 Helpful

Go to solution
cbonthron
Level 1
Level 1
In response to acomiskey

‎06-12-2007 08:04 AM

You are correct, I currently have no acl on my inside interface. So what you supplied should work for me?

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to cbonthron

‎06-12-2007 08:08 AM

Yes, it will work as long as the access is http only, add https if necessary or just change it to ip.

access-list 300 deny ip any 204.15.20.26 255.255.255.255

access-list 300 deny ip any 69.63.176.11 255.255.255.255

access-list 300 deny ip any 69.63.176.12 255.255.255.255

access-list 300 deny ip any 69.63.176.13 255.255.255.255

access-list 300 deny ip any 69.63.176.14 255.255.255.255

access-list 300 deny ip any 204.15.20.25 255.255.255.255

access-list 300 permit ip any any

access-group 300 in interface inside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card