Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

URL filtering

I need to limit a group of my cusotmers customer service reps to be able to access just one web site. My problem is I can't get a reliable IP address from this site and have been unable to speak with anyone within their IT dept. that can give be an accurate IP address to apply to my ACL to limit the end users to access this site. I'm pretty sure I can't but wanted to double check to see if I could use the actual domain name of the site instead of the IP address? Any thoughts? Suggestions? Thanks.

Steve

11 REPLIES
Silver

Re: URL filtering

you can only block by ip with a pix. Blocking by ip may block more than one site though, as many sites can live on one ip address.

To filter by domain name and website content at the pix, you would need to go with N2h2 or websense configured in conjunction with the pix

You might be better off trying to lock down your CSR's web browsers. If you are using IE, you can custom craft an IE deployment.

Anonymous
N/A

Re: URL filtering

I would do a nslookup on the url and use the resulting ip addresses in my acl.

New Member

Re: URL filtering

thanks, but that won't work since they are using a proxy server that won't allow you to grab the IP address for the site. I did speak with someone from Unite Health and they change what the IP address is so even if they were willing to give out that info I would have to change it whenever they did. I guess we're going to have to look into WebSense and possibly run a Cisco Content Engine along with it to effectively manage the URLs we want blocked etc.

New Member

Re: URL filtering

You do not need to purchase any other service for this, just use the following code. The logic of this is that it will block from host x.x.x.x to www.sco.com from inside to outside.

object-group network WWW

network-object host www.sco.com

!

access-list acl_out permit tcp host x.x.x.x object-group WWW eq 80

access-group acl_out interface inside

I think you need PIX code 6.3 for this to work maybe 6.3(3), hope this helps. Oh make sure your pix is properly setup to resolve the hostnames (DNS).

New Member

Re: URL filtering

Thank you. We do have 6.33 running so we can test this out.

New Member

Re: URL filtering

When I add the line: network-object host www.sco.com I get the following error: Network: invalid IP address (www.sco.com) specified.

Any idea's?

New Member

Re: URL filtering

You have to filter by IP. If you deploy a stand alone piece of hardware running Websense (for example) you could then have that box filter by URL. If your using just the pix for filtering it will only filter by IP.

New Member

Re: URL filtering

sorry that permit above should be a deny.

New Member

Re: URL filtering

If your going to look into web content filtering, I would consider an iPrism made by St. Bernard. It is very easy to configure and very cost effective.. Cheaper than any other products that I found,, around $2200. With the iPrism, you can block any site that you want or you can also block any protocol. It just plugs in between your inside network and your inside interface on your firewall. No configuration on your pix. For more info go to http://www.stbernard.com/products/iprism/products_iprism.asp

New Member

Re: URL filtering

Thanks, I looked at their prezo on line. Looks interesting. How long have you been using it? Any latency issues with this running? We are all Cisco and I imagine that they were smart enough to make sure that this is compatible to a Cisco environment but just want to get more info on it if possible. Thanks.

New Member

Re: URL filtering

Im sure you know this already but I just had to double check. If this is the only outbound ACL you have ensure you have a permit ip any any after the deny.

305
Views
0
Helpful
11
Replies
CreatePlease to create content