Re: Blocking access inside by domain

techiegrl · ‎11-17-2008

Hi,

I have a pix 535 and was wondering if there was a way to block access in to a particular website by domain such as .edu or .gov. Any help would be great. Thanks

JORGE RODRIGUEZ · ‎11-17-2008

If you are running version code 7.2.x and above you can block urls by domain using MPF, have a look here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

If code 6.x you would probably need 3rd party to realy fitering urls, have a look here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Jorge Rodriguez

techiegrl · ‎11-18-2008

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

techiegrl · ‎11-18-2008

Hi and thanks. At first look it seems like this is for outgoing requests. could I use the same for incoming requests?

Thanks

Alan Huseyin Kayahan · ‎11-18-2008

Hello Stefanie,

To which users do you want to block these web domains?

Jorge's answer is on spot, can be applied in any way you want.

Regards

techiegrl · ‎11-18-2008

Hi.

For instance, let's say that I wanted to only allow .mil users access to my website. Can I use the document in question for ver. 7.2?

Thanks

Alan Huseyin Kayahan · ‎11-18-2008

I am not clear on "only allow .mil users access to my website"

So you have a webserver we are OK here, but what is a .mil user?

techiegrl · ‎11-18-2008

Someone on a .mil domain. Yes, we have several webservers, but wanted to only allow access to users coming from a certain domain name.

Alan Huseyin Kayahan · ‎11-18-2008

Stefanie,

Let me make a correction first on the logical design.

A connection attempt from a source can contain source IP, source MAC, source port, username&password (if implemented), flags (SYN, SYN+ACK etc). Source domain is not an option here. Yet, the only domain name that you can get while qureying an IP address to learn its domain will be the one assigned by the ISP (something random). Thats why source domain is not a criteria to match and apply restrictions on. Thats why you cant have a workaround with a third party in my opinion.

Regards

techiegrl · ‎11-18-2008

Now, i'm a little confused. I have a Sidewinder on another one of my networks, and I can select .gov or .mil as a source domain to access a webserver on my network. I am trying to do the same via my Pix 535. We are trying to lock down access to our websites from certain domains and I was trying to get it to work from the pix. So I don't want to block outgoing, but incoming, and without knowing every IP associated with the .gov domain, I was hoping for an easy way to do this.

Any help would be greatly appreciated.

Source (.gov) dest. (mywebsite) port (443)

cisco24x7 · ‎11-18-2008

Let me make it clear for you. Pix/ASA can not

do this. The domain features are available

on Sidewinder and Checkpoint firewalls but sadly

not available in Pix/ASA.

techiegrl · ‎11-18-2008

Got it!

Thanks for your help.