Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block users' access to websites


I have PIX 506E running IOS 6.3. My client can not afford to buy Websense or any web filtering software at the moment and he wants to block access to only three web sites at the moment.

Any ideas on how best to do this?

For example if my client wants to block access to the following web sites:

a.) with IP address

b.) with IP address

and c.) with IP address

What will be the best way to block users from accessing these web sites on PIX 506E running IOS 6.3(5).


Re: Block users' access to websites


I don't think this is possible with ios 6.3.

Here is an example of blocking websites/url with MPF(Modular Policy Framework) on ios 7.2.

Hope this helps.


Re: Block users' access to websites

inbound access-list on the inside interface...

you would have 3 deny statements to deny all ip traffic goign to those IP's (or just tcp/80) and then a permit ip any any at the end.

keep in mind, blocking IP's is less reliable than a true url-filtering solution.

Re: Block users' access to websites

Blocking with Access-lists will only help when the IP address for the webiste is fixed.

But in case of a website like there are various IP's which may not be feasible to block using access-lists.

New Member

Re: Block users' access to websites


Thanks for your suggestions. I seem can't get my PIX to block access to those site. Find below my PIX config.

Is there anything missing?

testpix(config)# sh run

: Saved


PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname testpix


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


object-group network web_servers

description Blocks access to Yahoo! web sites ( &

network-object host

network-object host

access-list 101 permit tcp any host eq 3389

access-list 101 permit tcp any host eq www

access-list 101 permit tcp any host eq 5800

access-list 101 permit tcp any host eq https

access-list 101 deny tcp object-group web_servers eq www

access-list 101 permit ip any any

access-list inside_outbound_nat0_acl permit ip any

access-list outside_cryptomap_dyn_20 permit ip any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNClientsIPPool

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

static (inside,outside) tcp 3389 3389 netmask 0 0

static (inside,outside) tcp www www netmask 0 0

access-group 101 in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host l1verp00l timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication TACACS+

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup TestLab address-pool VPNClientsIPPool

vpngroup TestLab dns-server

vpngroup TestLab wins-server

vpngroup TestLab default-domain testlan.local

vpngroup TestLab idle-time 1800

vpngroup TestLab password ********