I need to limit a group of my cusotmers customer service reps to be able to access just one web site. My problem is I can't get a reliable IP address from this site and have been unable to speak with anyone within their IT dept. that can give be an accurate IP address to apply to my ACL to limit the end users to access this site. I'm pretty sure I can't but wanted to double check to see if I could use the actual domain name of the site instead of the IP address? Any thoughts? Suggestions? Thanks.
you can only block by ip with a pix. Blocking by ip may block more than one site though, as many sites can live on one ip address.
To filter by domain name and website content at the pix, you would need to go with N2h2 or websense configured in conjunction with the pix
You might be better off trying to lock down your CSR's web browsers. If you are using IE, you can custom craft an IE deployment.
thanks, but that won't work since they are using a proxy server that won't allow you to grab the IP address for the site. I did speak with someone from Unite Health and they change what the IP address is so even if they were willing to give out that info I would have to change it whenever they did. I guess we're going to have to look into WebSense and possibly run a Cisco Content Engine along with it to effectively manage the URLs we want blocked etc.
You do not need to purchase any other service for this, just use the following code. The logic of this is that it will block from host x.x.x.x to www.sco.com from inside to outside.
object-group network WWW
network-object host www.sco.com
access-list acl_out permit tcp host x.x.x.x object-group WWW eq 80
access-group acl_out interface inside
I think you need PIX code 6.3 for this to work maybe 6.3(3), hope this helps. Oh make sure your pix is properly setup to resolve the hostnames (DNS).
You have to filter by IP. If you deploy a stand alone piece of hardware running Websense (for example) you could then have that box filter by URL. If your using just the pix for filtering it will only filter by IP.
If your going to look into web content filtering, I would consider an iPrism made by St. Bernard. It is very easy to configure and very cost effective.. Cheaper than any other products that I found,, around $2200. With the iPrism, you can block any site that you want or you can also block any protocol. It just plugs in between your inside network and your inside interface on your firewall. No configuration on your pix. For more info go to http://www.stbernard.com/products/iprism/products_iprism.asp
Thanks, I looked at their prezo on line. Looks interesting. How long have you been using it? Any latency issues with this running? We are all Cisco and I imagine that they were smart enough to make sure that this is compatible to a Cisco environment but just want to get more info on it if possible. Thanks.
Im sure you know this already but I just had to double check. If this is the only outbound ACL you have ensure you have a permit ip any any after the deny.