Pix 506e as Content Filter

Tom_Spencer · ‎11-22-2007

Is there any way to effectively use a Pix 506e as a content filter? I see some example configurations involving an ASA 5500, but I was wondering if the pix alone will allow content filtering. We are a small business that is looking to restrict just a few websites to our DHCP users. (i.e. eBay, yahoo mail, Amazon). We already have the pix. Thanks!

amritpatek · ‎11-28-2007

Suppose if you want to filter streaming media content with PIX 506E, you have two options. The first one is to block ports on the PIX and the second is to use Proxy Server to filter URLs. Since our main concern is doing it on the PIX, You may enter these commands on the PIX for well-known ports that you could block on the firewall:

access-list nostream deny udp any any eq 2979

access-list nostream deny udp any any eq 1790

access-list nostream deny udp any any eq 1755

access-list nostream deny udp any any eq 1736

access-list nostream deny udp any any eq 554

access-list nostream deny udp any any eq 537

access-list nostream deny tcp any any eq 2979

access-list nostream deny tcp any any eq 1790

access-list nostream deny tcp any any eq 1755

access-list nostream deny tcp any any eq 1736

access-list nostream deny tcp any any eq 554

access-list nostream deny tcp any any eq 537

access-list nostream permit tcp any any eq 80

access-list nostream permit ip any any

access-group nostream in interface inside

However, some streaming applications use random ports using auto-configure options that are difficult to block with the PIX. To resolve this issue, you have the second option, using a proxy server to filter the URLs. You may use Websense and any other software to filter web traffic.