×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX and Dynamic Caching Server

Unanswered Question
Dec 27th, 2005
User Badges:

Hello all,


I am fairly new to the PIX admin team but have what seems to be a strange problem. Our PIXs are setup to perform an explicit deny to all WWW traffic from our retail stores minus exceptions. We had a rule to allow our pharmacies to visit The Center for Disease Control (www.cdc.gov) but over the last few weeks the rule no longer works. If you perform a lookup on www.cdc.gov, it responds with a DCS address (*.mirror-image.net). How can I create a rule on the PIX using this information which will allow http traffic to www.cdc.gov?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Tue, 12/27/2005 - 15:25
User Badges:
  • Gold, 750 points or more

without a third party web filter software, such as websense, pix can only filter the traffic with ip address.


i did a nslookup:


Name: prpx.service.mirror-image.net

Address: 128.242.107.120

Aliases: www.cdc.gov



i guess the acl should be look like:

access-list outbound permit tcp any host 128.242.107.120 eq 80

access-list outbound deny tcp any any eq 80

access-list outbound

robert.leon Wed, 12/28/2005 - 07:59
User Badges:

There lies the problem...


While the lookup returns that IP, the DCS does not necessarily respond and forward the HTTP request. I figured as much that we'd have to use a content filtering solution such as Websense or Fortinet.


Thanks for the response Jackko



Actions

This Discussion