09-20-2005 11:38 AM - edited 03-09-2019 12:28 PM
Have a pix 520 running 6.3.4 we want to block access to one particular web site to all users. Rather than investing in Proxy server we were wondering if it was possible to do this via Pix. Entered command access-list outbound deny ip any host (the ip address) and then the command access-group outbound in interface outside. This did not work. Any ideas?
Solved! Go to Solution.
09-21-2005 05:27 AM
One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.
object-group network BANNED_SITES
network-object host x.x.x.x
network-object host y.y.y.y
network-object host z.z.z.z
access-list inside deny ip any object-group BANNED_SITES
access-list inside permit ip any any
access-group inside in interface inside
This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.
I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)
09-20-2005 12:27 PM
A way to block just one particular web site would be something like this:
access-list inside deny ip any host 207.68.172.234
access-list inside permit ip any any
access-group inside in interface inside
This will block access to www.msn.com but will allow all other ip communication.
What exactly you want to do?
sincerely
Patrick
09-20-2005 12:41 PM
That is exactly what i want to do only to some other web page. Thank you much.
Craig
09-20-2005 08:25 PM
other way is to manipulate the host file on the dns server. e.g. if you want to block www.xxxxxxx.com, then add an entry to the dns pointing to a private ip such as 10.10.10.10. the request will then be lost in space.
the catch is that internal pc may point to a public dns.
09-20-2005 08:44 PM
Thats a question that comes back ofen in the Csico forum.
:-)
Click on Rate this Post to help identify the most useful NetPro content.
sincerely
Patrick
09-21-2005 05:27 AM
One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.
object-group network BANNED_SITES
network-object host x.x.x.x
network-object host y.y.y.y
network-object host z.z.z.z
access-list inside deny ip any object-group BANNED_SITES
access-list inside permit ip any any
access-group inside in interface inside
This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.
I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)
09-22-2005 09:57 AM
On this same note. What if I wanted to block all sites except one or a few, could I use this command in that way. Also is there a way to then give access to all sites using a username and password without investing in a websense server?
09-22-2005 11:30 AM
You could use the OpenSource Squid Proxy instead of WebSense or N2H2.
Allow just your Squid Server to leave to TCP port 80, 443 and ftp. On the Squid Server allow the sites that you would like to be accessable. You can also use local or remote Authentification service for the user Authentication.
See:
http://squid.visolve.com/squid/index.htm
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide