Blocking Websites using FWSM

Answered Question
Jun 28th, 2009
User Badges:

Hi everyone,


Does the FWSM can be used to block specific websites? If yes, kindly send me the link so I can study it.


Appreciate your help. Thanks in advance.


regards,

Gagamboy

Correct Answer by Kureli Sankar about 7 years 11 months ago

The FWSM needs acl applied on all interfaces for traffic to flow.


It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.


ex:


proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)


I am using private addresses here:


you would add an acl to the access-list applied on vlan10.


access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80


access-g vlan10-in in int vlan10



You are denying the flow and then permitting the rest.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
gagamboy15 Sun, 06/28/2009 - 10:33
User Badges:

Thanks for the info Kusankar.


One question, I am using a proxy server, so how can I block specific URLs? I thinks it should be incoming via ACL or FWSM?


Sorry I did'nt have much idea on FWSM. Thanks in advance.

Correct Answer
Kureli Sankar Sun, 06/28/2009 - 15:46
User Badges:
  • Cisco Employee,

The FWSM needs acl applied on all interfaces for traffic to flow.


It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.


ex:


proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)


I am using private addresses here:


you would add an acl to the access-list applied on vlan10.


access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80


access-g vlan10-in in int vlan10



You are denying the flow and then permitting the rest.



Actions

This Discussion