Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
18
Helpful
7
Replies

Blocking one web site

Go to solution
bonvechioc
Level 1
Level 1

‎09-20-2005 11:38 AM - edited ‎03-09-2019 12:28 PM

Have a pix 520 running 6.3.4 we want to block access to one particular web site to all users. Rather than investing in Proxy server we were wondering if it was possible to do this via Pix. Entered command access-list outbound deny ip any host (the ip address) and then the command access-group outbound in interface outside. This did not work. Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pwicks
Level 1
Level 1

‎09-21-2005 05:27 AM

One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.

object-group network BANNED_SITES

network-object host x.x.x.x

network-object host y.y.y.y

network-object host z.z.z.z

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit ip any any

access-group inside in interface inside

This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.

I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)

View solution in original post

7 Replies 7

Go to solution
Patrick Iseli
Level 7
Level 7

‎09-20-2005 12:27 PM

A way to block just one particular web site would be something like this:

access-list inside deny ip any host 207.68.172.234

access-list inside permit ip any any

access-group inside in interface inside

This will block access to www.msn.com but will allow all other ip communication.

What exactly you want to do?

sincerely

Patrick

Go to solution
bonvechioc
Level 1
Level 1
In response to Patrick Iseli

‎09-20-2005 12:41 PM

That is exactly what i want to do only to some other web page. Thank you much.

Craig

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to bonvechioc

‎09-20-2005 08:25 PM

other way is to manipulate the host file on the dns server. e.g. if you want to block www.xxxxxxx.com, then add an entry to the dns pointing to a private ip such as 10.10.10.10. the request will then be lost in space.

the catch is that internal pc may point to a public dns.

Go to solution
Patrick Iseli
Level 7
Level 7
In response to bonvechioc

‎09-20-2005 08:44 PM

Thats a question that comes back ofen in the Csico forum.

:-)

Click on Rate this Post to help identify the most useful NetPro content.

sincerely

Patrick

0 Helpful

Go to solution
pwicks
Level 1
Level 1

‎09-21-2005 05:27 AM

One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.

object-group network BANNED_SITES

network-object host x.x.x.x

network-object host y.y.y.y

network-object host z.z.z.z

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit ip any any

access-group inside in interface inside

This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.

I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)

Go to solution
fmarabate
Level 1
Level 1
In response to pwicks

‎09-22-2005 09:57 AM

On this same note. What if I wanted to block all sites except one or a few, could I use this command in that way. Also is there a way to then give access to all sites using a username and password without investing in a websense server?

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to fmarabate

‎09-22-2005 11:30 AM

You could use the OpenSource Squid Proxy instead of WebSense or N2H2.

Allow just your Squid Server to leave to TCP port 80, 443 and ftp. On the Squid Server allow the sites that you would like to be accessable. You can also use local or remote Authentification service for the user Authentication.

See:

http://www.squid-cache.org/

http://squid.visolve.com/squid/index.htm

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents