06-28-2009 08:38 AM - edited 03-12-2019 05:59 PM
Hi everyone,
Does the FWSM can be used to block specific websites? If yes, kindly send me the link so I can study it.
Appreciate your help. Thanks in advance.
regards,
Gagamboy
Solved! Go to Solution.
06-28-2009 03:46 PM
The FWSM needs acl applied on all interfaces for traffic to flow.
It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.
ex:
proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)
I am using private addresses here:
you would add an acl to the access-list applied on vlan10.
access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80
access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80
access-g vlan10-in in int vlan10
You are denying the flow and then permitting the rest.
06-28-2009 09:56 AM
Yes, it can, if you know the IP address via an acl. Besides that if you want to block based on content then, you need websense or n2h2.
You can read here:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/filter_f.html#wp1042319
06-28-2009 10:33 AM
Thanks for the info Kusankar.
One question, I am using a proxy server, so how can I block specific URLs? I thinks it should be incoming via ACL or FWSM?
Sorry I did'nt have much idea on FWSM. Thanks in advance.
06-28-2009 03:46 PM
The FWSM needs acl applied on all interfaces for traffic to flow.
It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.
ex:
proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)
I am using private addresses here:
you would add an acl to the access-list applied on vlan10.
access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80
access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80
access-g vlan10-in in int vlan10
You are denying the flow and then permitting the rest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide