Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting URL's with PIX-501

I have a range of 4-5 IP addresses that I need to restrict web access to all but two web sites. How would I do this? Thanks.

4 REPLIES
New Member

Re: Restricting URL's with PIX-501

First of all you will need the IP addresses of those two websites. Use command nslookup - sometimes it could be more them one IP per website - see an example with Cisco and IBM. Then you can use object groups to create a network objects that allows only the IP addresses in the group access to certain websites.

Example:

nslookup www.cisco.com

Name: www.cisco.com

Address: 198.133.219.25

nslookup www.ibm.com

Name: www.ibm.com

Addresses: 129.42.16.99, 129.42.17.99, 129.42.18.99, 129.42.19.99

pix|#config t

pix(config)object-group network WEBSITES

pix(config-network)network-object host 198.133.219.25

pix(config-network)network-object host 129.42.16.99

pix(config-network)network-object host 129.42.17.99

pix(config-network)network-object host 129.42.18.99

pix(config-network)network-object host 129.42.19.99

pix(config-network)exit

pix(config)object-group network HOSTS

pix(config-network)network-object host 10.10.10.1

pix(config-network)network-object host 10.10.10.2

pix(config-network)network-object host 10.10.10.3

pix(config-network)network-object host 10.10.10.4

pix(config-network)network-object host 10.10.10.5

pix(config-network)exit

pix(config)access-list ACL_IN permit tcp object-group HOSTS object-group WEBSITES eq 80

pix(config)access-list ACL_IN deny tcp object-group HOSTS any

pix(config)access-group ACL_IN in interface inside

pix(config)wr mem

This allows all IP's that are in the object group named "HOSTS" to access only the websites in group named "WEBSITES" via port 80 or www.

New Member

Re: Restricting URL's with PIX-501

What are the required commands to delete these groups if I need to make changes?

New Member

Re: Restricting URL's with PIX-501

Is there any way to allow access to an entire domain rather than individual IP addresses?

New Member

Re: Restricting URL's with PIX-501

Not with the access list.

You may want to try to filter URLs with Internet Filtering Servers - Websense or N2H2.

Websense Enterprise web filtering application—Supported by PIX Firewall Version 5.3 or higher

Filtering by N2H2 for IFP-enabled devices—Supported by PIX Firewall Version 6.2 or higher

For more information:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1016390

Also:

http://www.websense.com/

http://www.n2h2.com/

110
Views
0
Helpful
4
Replies
CreatePlease to create content