07-28-2008 01:22 AM - edited 03-11-2019 06:21 AM
Hi,
I have PIX 506E running IOS 6.3. My client can not afford to buy Websense or any web filtering software at the moment and he wants to block access to only three web sites at the moment.
Any ideas on how best to do this?
For example if my client wants to block access to the following web sites:
a.) www.yahoo.com with IP address 87.248.113.14
b.) www.google.com with IP address 66.249.93.99
and c.) www.monsterjobs.com with IP address 208.71.197.1
What will be the best way to block users from accessing these web sites on PIX 506E running IOS 6.3(5).
07-28-2008 01:44 AM
hi,
I don't think this is possible with ios 6.3.
Here is an example of blocking websites/url with MPF(Modular Policy Framework) on ios 7.2.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
Hope this helps.
07-28-2008 02:32 AM
inbound access-list on the inside interface...
you would have 3 deny statements to deny all ip traffic goign to those IP's (or just tcp/80) and then a permit ip any any at the end.
keep in mind, blocking IP's is less reliable than a true url-filtering solution.
07-28-2008 03:12 AM
Blocking with Access-lists will only help when the IP address for the webiste www.xyz.com is fixed.
But in case of a website like www.google.com there are various IP's which may not be feasible to block using access-lists.
07-29-2008 02:43 AM
Hi,
Thanks for your suggestions. I seem can't get my PIX to block access to those site. Find below my PIX config.
Is there anything missing?
testpix(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname testpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network web_servers
description Blocks access to Yahoo! web sites (yahoo.com & uk.yahoo.com)
network-object host 87.248.113.14
network-object host 217.146.186.51
access-list 101 permit tcp any host 192.168.241.45 eq 3389
access-list 101 permit tcp any host 192.168.241.45 eq www
access-list 101 permit tcp any host 192.168.241.45 eq 5800
access-list 101 permit tcp any host 192.168.241.45 eq https
access-list 101 deny tcp object-group web_servers 172.16.1.0 255.255.255.0 eq www
access-list 101 permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.241.45 255.255.255.0
ip address inside 172.16.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNClientsIPPool 192.168.254.1-192.168.254.254
pdm location 172.16.1.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.241.45 3389 172.16.1.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.241.45 www 172.16.1.1 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.241.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 172.16.1.1 l1verp00l timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.241.0 255.255.255.0 outside
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TestLab address-pool VPNClientsIPPool
vpngroup TestLab dns-server 127.0.0.1
vpngroup TestLab wins-server 127.0.0.1
vpngroup TestLab default-domain testlan.local
vpngroup TestLab idle-time 1800
vpngroup TestLab password ********
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: