cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
636
Views
0
Helpful
11
Replies

Blocking access inside by domain

techiegrl
Level 1
Level 1

Hi,

I have a pix 535 and was wondering if there was a way to block access in to a particular website by domain such as .edu or .gov. Any help would be great. Thanks

11 Replies 11

JORGE RODRIGUEZ
Level 10
Level 10

If you are running version code 7.2.x and above you can block urls by domain using MPF, have a look here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

If code 6.x you would probably need 3rd party to realy fitering urls, have a look here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Jorge Rodriguez

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Hello Stefanie,

To which users do you want to block these web domains?

Jorge's answer is on spot, can be applied in any way you want.

Regards

Hi.

For instance, let's say that I wanted to only allow .mil users access to my website. Can I use the document in question for ver. 7.2?

Thanks

I am not clear on "only allow .mil users access to my website"

So you have a webserver we are OK here, but what is a .mil user?

Someone on a .mil domain. Yes, we have several webservers, but wanted to only allow access to users coming from a certain domain name.

Stefanie,

Let me make a correction first on the logical design.

A connection attempt from a source can contain source IP, source MAC, source port, username&password (if implemented), flags (SYN, SYN+ACK etc). Source domain is not an option here. Yet, the only domain name that you can get while qureying an IP address to learn its domain will be the one assigned by the ISP (something random). Thats why source domain is not a criteria to match and apply restrictions on. Thats why you cant have a workaround with a third party in my opinion.

Regards

Now, i'm a little confused. I have a Sidewinder on another one of my networks, and I can select .gov or .mil as a source domain to access a webserver on my network. I am trying to do the same via my Pix 535. We are trying to lock down access to our websites from certain domains and I was trying to get it to work from the pix. So I don't want to block outgoing, but incoming, and without knowing every IP associated with the .gov domain, I was hoping for an easy way to do this.

Any help would be greatly appreciated.

Source (.gov) dest. (mywebsite) port (443)

Let me make it clear for you. Pix/ASA can not

do this. The domain features are available

on Sidewinder and Checkpoint firewalls but sadly

not available in Pix/ASA.

Got it!

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: