Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Blocking one web site

Have a pix 520 running 6.3.4 we want to block access to one particular web site to all users. Rather than investing in Proxy server we were wondering if it was possible to do this via Pix. Entered command access-list outbound deny ip any host (the ip address) and then the command access-group outbound in interface outside. This did not work. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Blocking one web site

One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.

object-group network BANNED_SITES

network-object host x.x.x.x

network-object host y.y.y.y

network-object host z.z.z.z

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit ip any any

access-group inside in interface inside

This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.

I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)

7 REPLIES

Re: Blocking one web site

A way to block just one particular web site would be something like this:

access-list inside deny ip any host 207.68.172.234

access-list inside permit ip any any

access-group inside in interface inside

This will block access to www.msn.com but will allow all other ip communication.

What exactly you want to do?

sincerely

Patrick

Community Member

Re: Blocking one web site

That is exactly what i want to do only to some other web page. Thank you much.

Craig

Gold

Re: Blocking one web site

other way is to manipulate the host file on the dns server. e.g. if you want to block www.xxxxxxx.com, then add an entry to the dns pointing to a private ip such as 10.10.10.10. the request will then be lost in space.

the catch is that internal pc may point to a public dns.

Re: Blocking one web site

Thats a question that comes back ofen in the Csico forum.

:-)

Click on Rate this Post to help identify the most useful NetPro content.

sincerely

Patrick

Community Member

Re: Blocking one web site

One note to expand on what was already discussed. Since you are running version 6.3(4), you can also use 'object groups' to create a list of all of your banned sites. This way you can add banned sites to the object group without having to change the access list each time you add a new site.

object-group network BANNED_SITES

network-object host x.x.x.x

network-object host y.y.y.y

network-object host z.z.z.z

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit ip any any

access-group inside in interface inside

This method cuts down on lengthy access lists and makes administration and troubleshooting much easier. I have used these sort of lists to block certain sites and networks for customers who choose not to use WebSense.

I understand that you only want to block one site at this point in time, but you never know what trouble users may cause in the future. ;)

Community Member

Re: Blocking one web site

On this same note. What if I wanted to block all sites except one or a few, could I use this command in that way. Also is there a way to then give access to all sites using a username and password without investing in a websense server?

Re: Blocking one web site

You could use the OpenSource Squid Proxy instead of WebSense or N2H2.

Allow just your Squid Server to leave to TCP port 80, 443 and ftp. On the Squid Server allow the sites that you would like to be accessable. You can also use local or remote Authentification service for the user Authentication.

See:

http://www.squid-cache.org/

http://squid.visolve.com/squid/index.htm

sincerely

Patrick

137
Views
18
Helpful
7
Replies
CreatePlease to create content