Block users' access to websites

a.ajiboye · ‎07-28-2008

Hi,

I have PIX 506E running IOS 6.3. My client can not afford to buy Websense or any web filtering software at the moment and he wants to block access to only three web sites at the moment.

Any ideas on how best to do this?

For example if my client wants to block access to the following web sites:

a.) www.yahoo.com with IP address 87.248.113.14

b.) www.google.com with IP address 66.249.93.99

and c.) www.monsterjobs.com with IP address 208.71.197.1

What will be the best way to block users from accessing these web sites on PIX 506E running IOS 6.3(5).

dhananjoy chowdhury · ‎07-28-2008

hi,

I don't think this is possible with ios 6.3.

Here is an example of blocking websites/url with MPF(Modular Policy Framework) on ios 7.2.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Hope this helps.

srue · ‎07-28-2008

inbound access-list on the inside interface...

you would have 3 deny statements to deny all ip traffic goign to those IP's (or just tcp/80) and then a permit ip any any at the end.

keep in mind, blocking IP's is less reliable than a true url-filtering solution.

dhananjoy chowdhury · ‎07-28-2008

Blocking with Access-lists will only help when the IP address for the webiste www.xyz.com is fixed.

But in case of a website like www.google.com there are various IP's which may not be feasible to block using access-lists.

a.ajiboye · ‎07-29-2008

Hi,

Thanks for your suggestions. I seem can't get my PIX to block access to those site. Find below my PIX config.

Is there anything missing?

testpix(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname testpix

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network web_servers

description Blocks access to Yahoo! web sites (yahoo.com & uk.yahoo.com)

network-object host 87.248.113.14

network-object host 217.146.186.51

access-list 101 permit tcp any host 192.168.241.45 eq 3389

access-list 101 permit tcp any host 192.168.241.45 eq www

access-list 101 permit tcp any host 192.168.241.45 eq 5800

access-list 101 permit tcp any host 192.168.241.45 eq https

access-list 101 deny tcp object-group web_servers 172.16.1.0 255.255.255.0 eq www

access-list 101 permit ip any any

access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.241.45 255.255.255.0

ip address inside 172.16.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNClientsIPPool 192.168.254.1-192.168.254.254

pdm location 172.16.1.1 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.241.45 3389 172.16.1.1 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.241.45 www 172.16.1.1 www netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.241.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 172.16.1.1 l1verp00l timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.241.0 255.255.255.0 outside

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication TACACS+

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup TestLab address-pool VPNClientsIPPool

vpngroup TestLab dns-server 127.0.0.1

vpngroup TestLab wins-server 127.0.0.1

vpngroup TestLab default-domain testlan.local

vpngroup TestLab idle-time 1800

vpngroup TestLab password ********