Blocking access inside by domain

Unanswered Question
Nov 17th, 2008
User Badges:

Hi,


I have a pix 535 and was wondering if there was a way to block access in to a particular website by domain such as .edu or .gov. Any help would be great. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 11/17/2008 - 17:57
User Badges:
  • Green, 3000 points or more

If you are running version code 7.2.x and above you can block urls by domain using MPF, have a look here.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml


If code 6.x you would probably need 3rd party to realy fitering urls, have a look here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml



techiegrl Tue, 11/18/2008 - 09:28
User Badges:

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?


Thanks

techiegrl Tue, 11/18/2008 - 09:53
User Badges:

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?


Thanks

husycisco Tue, 11/18/2008 - 10:07
User Badges:
  • Gold, 750 points or more

Hello Stefanie,

To which users do you want to block these web domains?

Jorge's answer is on spot, can be applied in any way you want.


Regards

techiegrl Tue, 11/18/2008 - 10:09
User Badges:

Hi.


For instance, let's say that I wanted to only allow .mil users access to my website. Can I use the document in question for ver. 7.2?


Thanks

husycisco Tue, 11/18/2008 - 10:14
User Badges:
  • Gold, 750 points or more

I am not clear on "only allow .mil users access to my website"

So you have a webserver we are OK here, but what is a .mil user?

techiegrl Tue, 11/18/2008 - 10:16
User Badges:

Someone on a .mil domain. Yes, we have several webservers, but wanted to only allow access to users coming from a certain domain name.

husycisco Tue, 11/18/2008 - 10:46
User Badges:
  • Gold, 750 points or more

Stefanie,

Let me make a correction first on the logical design.

A connection attempt from a source can contain source IP, source MAC, source port, username&password (if implemented), flags (SYN, SYN+ACK etc). Source domain is not an option here. Yet, the only domain name that you can get while qureying an IP address to learn its domain will be the one assigned by the ISP (something random). Thats why source domain is not a criteria to match and apply restrictions on. Thats why you cant have a workaround with a third party in my opinion.


Regards

techiegrl Tue, 11/18/2008 - 13:53
User Badges:

Now, i'm a little confused. I have a Sidewinder on another one of my networks, and I can select .gov or .mil as a source domain to access a webserver on my network. I am trying to do the same via my Pix 535. We are trying to lock down access to our websites from certain domains and I was trying to get it to work from the pix. So I don't want to block outgoing, but incoming, and without knowing every IP associated with the .gov domain, I was hoping for an easy way to do this.


Any help would be greatly appreciated.


Source (.gov) dest. (mywebsite) port (443)

cisco24x7 Tue, 11/18/2008 - 14:02
User Badges:
  • Silver, 250 points or more

Let me make it clear for you. Pix/ASA can not

do this. The domain features are available

on Sidewinder and Checkpoint firewalls but sadly

not available in Pix/ASA.

Actions

This Discussion