Access-List to Block some Url

Bwilhelm · ‎07-03-2003

PIX 515 E ( Version 6.1 )

I need a sample access-list to block the access to a single web site .

( like www.xxxxxxx.com ) but allow the access to all other Sites .

Thanks

pcomeaux · ‎07-03-2003

The first step would be to figure out what IP address www.xxxxxx.com is hosted on. In this case, the ip address is 209.163.238.151.

I would check to see if there is an existing ACL applied inbound on the inside interface (and others if you want to apply this to more than one interface on the pix). I would then either modify or create an access-list similar to the following (assuming no access-list exists):

access-list 40 deny tcp any host 209.163.238.151 eq 80

access-list 40 permit ip any any

Then I would apply the newly created acl to the inside interface:

access-group 40 in interface inside.

If www.xxxxxx.com would happen to change IP addresses, you need to keep up with this. This can become very tedious and time consuming if you find yourself doing this for many websites.

If you find yourself needing a more scalable solution, you should consider N2H2, Checkpoint, or some other URL filtering software.

Hope this helps,

peter

pcomeaux · ‎07-03-2003

I obviously had a brain lapse when I typed Checkpoint as an option for URL filtering software, as Checkpoint does not offer this type of software and subscription service. I indeed meant to say Websense.

I apologize for any confusion.

peter

ywadhavk · ‎07-03-2003

Hi Bernd,

The PIX by itself cannot do url-blocking / url-filtering. You need to deploy a url filtering server solution such as Websense or N2H2.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008c103.html#xtocid9

Thanks,

yatin

Bwilhelm · ‎07-03-2003

Sorry but it do not work .

here my access-list

access-list inside_access_in permit tcp any any eq www (hitcnt=348132)

access-list inside_access_in permit tcp any any eq 443 (hitcnt=13786)

access-list inside_access_in permit tcp any any eq smtp (hitcnt=4872)

access-list inside_access_in permit tcp any any eq ftp (hitcnt=152)

access-list inside_access_in permit tcp any any eq pop3 (hitcnt=76160)

access-list inside_access_in permit udp any any (hitcnt=32614)

access-list inside_access_in permit tcp any any eq 19638 (hitcnt=342)

I add this line

access-list inside_access_in deny tcp any host 66.135.192.85 eq www

but the PDM give me am Message There is no Host adress 66.135.192.85 on

the Pix .

jmia · ‎07-03-2003

Hi Bernd -

Q. Do you have a internet router (perimeter router) ? If you do then why not apply the ACL on that router to stop any traffic from the denied www site !!

Hope this helps --

pcomeaux · ‎07-07-2003

Did PDM prompt you to specify the location of the host 66.135.192.85?

Usually PDM will ask for which interface a particular host is out of if PDM does not recognize the ip address on a directly connected segment.

For instance, I attempted to add the same rule via PDM on my 501. The popup message I receive with PDM 3.0 has a menu bar that reads: "Add host/network?" and has the following text inside the window: "PDM could not find host 66.135.192.85 255.255.255.255 on interface outside. Would you like to add this host or network now?"

If I click ok, a wizard leads me through some prompts on how to add this host. This is a pecularity of PDM - i.e. wanting to know out of which interface particular hosts exists.

You should be able to click through this wizard, filling in the info requested and then the rule will appear in PDM with the deny stop sign very visible.

Please let me know how it goes.

peter