Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Blocking access inside by domain

Hi,

I have a pix 535 and was wondering if there was a way to block access in to a particular website by domain such as .edu or .gov. Any help would be great. Thanks

11 REPLIES

Re: Blocking access inside by domain

If you are running version code 7.2.x and above you can block urls by domain using MPF, have a look here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

If code 6.x you would probably need 3rd party to realy fitering urls, have a look here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

New Member

Re: Blocking access inside by domain

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

New Member

Re: Blocking access inside by domain

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Re: Blocking access inside by domain

Hello Stefanie,

To which users do you want to block these web domains?

Jorge's answer is on spot, can be applied in any way you want.

Regards

New Member

Re: Blocking access inside by domain

Hi.

For instance, let's say that I wanted to only allow .mil users access to my website. Can I use the document in question for ver. 7.2?

Thanks

Re: Blocking access inside by domain

I am not clear on "only allow .mil users access to my website"

So you have a webserver we are OK here, but what is a .mil user?

New Member

Re: Blocking access inside by domain

Someone on a .mil domain. Yes, we have several webservers, but wanted to only allow access to users coming from a certain domain name.

Re: Blocking access inside by domain

Stefanie,

Let me make a correction first on the logical design.

A connection attempt from a source can contain source IP, source MAC, source port, username&password (if implemented), flags (SYN, SYN+ACK etc). Source domain is not an option here. Yet, the only domain name that you can get while qureying an IP address to learn its domain will be the one assigned by the ISP (something random). Thats why source domain is not a criteria to match and apply restrictions on. Thats why you cant have a workaround with a third party in my opinion.

Regards

New Member

Re: Blocking access inside by domain

Now, i'm a little confused. I have a Sidewinder on another one of my networks, and I can select .gov or .mil as a source domain to access a webserver on my network. I am trying to do the same via my Pix 535. We are trying to lock down access to our websites from certain domains and I was trying to get it to work from the pix. So I don't want to block outgoing, but incoming, and without knowing every IP associated with the .gov domain, I was hoping for an easy way to do this.

Any help would be greatly appreciated.

Source (.gov) dest. (mywebsite) port (443)

Silver

Re: Blocking access inside by domain

Let me make it clear for you. Pix/ASA can not

do this. The domain features are available

on Sidewinder and Checkpoint firewalls but sadly

not available in Pix/ASA.

New Member

Re: Blocking access inside by domain

Got it!

Thanks for your help.

223
Views
0
Helpful
11
Replies
CreatePlease to create content