Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking Websites using FWSM

Hi everyone,

Does the FWSM can be used to block specific websites? If yes, kindly send me the link so I can study it.

Appreciate your help. Thanks in advance.

regards,

Gagamboy

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Blocking Websites using FWSM

The FWSM needs acl applied on all interfaces for traffic to flow.

It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.

ex:

proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)

I am using private addresses here:

you would add an acl to the access-list applied on vlan10.

access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80

access-g vlan10-in in int vlan10

You are denying the flow and then permitting the rest.

3 REPLIES
Cisco Employee

Re: Blocking Websites using FWSM

Yes, it can, if you know the IP address via an acl. Besides that if you want to block based on content then, you need websense or n2h2.

You can read here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/filter_f.html#wp1042319

New Member

Re: Blocking Websites using FWSM

Thanks for the info Kusankar.

One question, I am using a proxy server, so how can I block specific URLs? I thinks it should be incoming via ACL or FWSM?

Sorry I did'nt have much idea on FWSM. Thanks in advance.

Cisco Employee

Re: Blocking Websites using FWSM

The FWSM needs acl applied on all interfaces for traffic to flow.

It doesn't matter if you are using a proxy server. If you can resolve the name of the website to an IP address (hope that doesn't change) you can add a deny for this destination ip address on the FWSM interface that is facing the proxy server.

ex:

proxy ip 10.10.10.1--vlan10--FWSM---vlan20-Internet website (192.168.1.1)

I am using private addresses here:

you would add an acl to the access-list applied on vlan10.

access-list vlan10-in deny tcp host 10.10.10.1 host 192.168.1.1 eq 80

access-list vlan10-in permmit tcp host 10.10.10.1 any eq 80

access-g vlan10-in in int vlan10

You are denying the flow and then permitting the rest.

164
Views
4
Helpful
3
Replies