Blocking Websites using FWSM

Answered Question
Jun 28th, 2009

Hi everyone,

Does the FWSM can be used to block specific websites? If yes, kindly send me the link so I can study it.

Appreciate your help. Thanks in advance.

regards,

Gagamboy

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 7 months ago

The FWSM needs acl applied on all interfaces for traffic to flow.

It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.

ex:

proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)

I am using private addresses here:

you would add an acl to the access-list applied on vlan10.

access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80

access-g vlan10-in in int vlan10

You are denying the flow and then permitting the rest.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
gagamboy15 Sun, 06/28/2009 - 10:33

Thanks for the info Kusankar.

One question, I am using a proxy server, so how can I block specific URLs? I thinks it should be incoming via ACL or FWSM?

Sorry I did'nt have much idea on FWSM. Thanks in advance.

Correct Answer
Kureli Sankar Sun, 06/28/2009 - 15:46

The FWSM needs acl applied on all interfaces for traffic to flow.

It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.

ex:

proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)

I am using private addresses here:

you would add an acl to the access-list applied on vlan10.

access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80

access-g vlan10-in in int vlan10

You are denying the flow and then permitting the rest.

Actions

This Discussion