topic Re: Blocking access inside by domain in Network Security

Blocking access inside by domain

techiegrl — Mon, 11 Mar 2019 14:14:11 GMT

Hi,

I have a pix 535 and was wondering if there was a way to block access in to a particular website by domain such as .edu or .gov. Any help would be great. Thanks

Re: Blocking access inside by domain

JORGE RODRIGUEZ — Tue, 18 Nov 2008 01:57:33 GMT

If you are running version code 7.2.x and above you can block urls by domain using MPF, have a look here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

If code 6.x you would probably need 3rd party to realy fitering urls, have a look here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 17:28:53 GMT

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 17:53:26 GMT

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Re: Blocking access inside by domain

Alan Huseyin Kayahan — Tue, 18 Nov 2008 18:07:17 GMT

Hello Stefanie,

To which users do you want to block these web domains?

Jorge's answer is on spot, can be applied in any way you want.

Regards

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 18:09:30 GMT

Hi.

For instance, let's say that I wanted to only allow .mil users access to my website. Can I use the document in question for ver. 7.2?

Thanks

Re: Blocking access inside by domain

Alan Huseyin Kayahan — Tue, 18 Nov 2008 18:14:30 GMT

I am not clear on "only allow .mil users access to my website"

So you have a webserver we are OK here, but what is a .mil user?

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 18:16:41 GMT

Someone on a .mil domain. Yes, we have several webservers, but wanted to only allow access to users coming from a certain domain name.

Re: Blocking access inside by domain

Alan Huseyin Kayahan — Tue, 18 Nov 2008 18:46:38 GMT

Stefanie,

Let me make a correction first on the logical design.

A connection attempt from a source can contain source IP, source MAC, source port, username&password (if implemented), flags (SYN, SYN+ACK etc). Source domain is not an option here. Yet, the only domain name that you can get while qureying an IP address to learn its domain will be the one assigned by the ISP (something random). Thats why source domain is not a criteria to match and apply restrictions on. Thats why you cant have a workaround with a third party in my opinion.

Regards

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 21:53:15 GMT

Now, i'm a little confused. I have a Sidewinder on another one of my networks, and I can select .gov or .mil as a source domain to access a webserver on my network. I am trying to do the same via my Pix 535. We are trying to lock down access to our websites from certain domains and I was trying to get it to work from the pix. So I don't want to block outgoing, but incoming, and without knowing every IP associated with the .gov domain, I was hoping for an easy way to do this.

Any help would be greatly appreciated.

Source (.gov) dest. (mywebsite) port (443)

Re: Blocking access inside by domain

cisco24x7 — Tue, 18 Nov 2008 22:02:47 GMT

Let me make it clear for you. Pix/ASA can not

do this. The domain features are available

on Sidewinder and Checkpoint firewalls but sadly

not available in Pix/ASA.

Re: Blocking access inside by domain

techiegrl — Tue, 18 Nov 2008 22:06:23 GMT

Got it!

Thanks for your help.