Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
5
Replies

SA520W - blocking URLs

info-irfasud
Level 1
Level 1

‎03-18-2011 03:58 AM - edited ‎03-11-2019 01:09 PM

Hi everyone.

I purchased a SA520W for my company, and i have some probles for configuring firewall.

I want to deny access to facebook, youtube and twitter but not for 4 hosts which needs this websites for work.

I tried to configure content filtering > blocking URLs but with this solution, I deny acces for all users.

So, I tried to make IP v4 rules :

The 4 hosts who may access to these websites are 192.168.50.124 to 127

Example :

FROM Zone : LAN

TO : WAN

Service : Any

Action: block always

Source hosts : 192.168.50.32 to 192.168.50.123

destination hosts : 66.220.158.11 (one of the facebook's ip)

but it does not work.

So, I am looking for an other solution, or maybe my rule is not correctly configured ?

Thanks for your support

Labels:
0 Helpful
5 Replies 5

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎03-20-2011 04:55 PM

Hi Jean,

I wanted to gather a few details on the tests you performed after configuring the rule you mentioned.

According to the rule, traffic is blocked from 192.168.50.32-123 to 66.220.158.11

So the test should have been trying http://66.220.158.11 on the browser of one of the systems in the blocked range, and one in the .124-127 range.

Was it accessible from both PCs after configuring this rule, or blocked on both?

0 Helpful

info-irfasud
Level 1
Level 1
In response to Shrikant Sundaresh

‎03-21-2011 07:50 AM

Hi,

after configuring the rule, when i try http://66.220.158.11 on the browser of a system in the blocked range, it's possible to access this website. It's also possible with a system out of the range. So, it's accessible from both PC instead of just the PCs out of the range.

Thank you Shrikant

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to info-irfasud

‎03-21-2011 08:24 AM

Hi Jean,

For a LAN-WAN rule, you also need to fill in the Source NAT settings. Kindly check if that has been done.

Once you've filled out the settings, please click on Apply and test from both machines again.

Secondly, can you edit the rule and allow logging for it, and check if any logs are generated when traffic goes through the device?

Please paste the logs, if any, in the next post.

Also, are there other rules configured between the LAN and WAN interfaces? Maybe one of those rules is getting hit, and thus the rule you've configured for facebook, never comes into play. You could move the facebook rule to the top, so that it is matched before the other rules.

Kindly let me know if there are any developments, after checking these 3 things.

0 Helpful

info-irfasud
Level 1
Level 1
In response to Shrikant Sundaresh

‎03-21-2011 09:25 AM

hi

What do you mean by "you also need to fill in the Source NAT settings" ?

I tried to log the rule, but nothing appears in the log table.

The only other rule is a rule to alow RDP from WAN to LAN.

I attach a screenshot to this post.

I have to go and will be back on wednesday.

Thanks for your answers.

Preview file
149 KB
0 Helpful

info-irfasud
Level 1
Level 1

‎03-24-2011 03:28 AM

Does someone have an idea ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card