12-06-2006 02:08 AM - edited 02-20-2020 09:38 PM
Hi, We use a Cisco 2600 router on our leased line. We want to block staff access to hotmail (in fact all external web mail sites) but still allow MSN Messenger (which we use to communicate with several home workers). I have played with blocking several IP addresses on an outbound ACL on the serial 0/0 interface but with limited success. Any hints and tips with regard to technique and IP to block etc? Thanks
12-06-2006 02:39 AM
I block IPs 64.4.33.7 and 64.4.32.7 should be enough
M.
12-06-2006 04:21 AM
Hi,
You'll struggle to do this reliably just using IP's as there's no guarantee they won't change and there's no way of reliably getting a list of even the big three (hotmail, gmail, yahoo) let alone any of the others (.mac, hushmail, lycos, muchomail, mail.com, etc etc). The only way to do this reliably is with a 3rd-party product like websense, webwasher, etc.
Note that if you use a default route to the Internet then any clued-up user just needs to point their browser at a public proxy to bypass your ACL - unless you have a list of all the public proxies..
Also - I'd ask why do you want to block web mail? (blocking IM is usually at the top of the list in a security policy along with P2P). The reasoning is that webmail usually has a built-in anti-virus whereas IM/P2P has the ability to share any damaging content.
Just some thoughts - HTH
Andrew.
12-06-2006 05:57 AM
Hi,
you could use NBAR to block URLs, if your IOS does support it. This could look like this:
ip cef
class-map match-any BlockStuff
match protocol http url "*hotmail*"
match protocol http url "*gmail*"
policy-map BlockMail
class BlockStuff
drop
interface Serial0/0
service-policy output BlockMail
Hope this helps! Please rate all posts.
Regards, Martin
12-06-2006 07:29 AM
Thanks but I don't think my humble 2510 supports ip cef. You need a 7500 or a 12000 according to O'Reilly.
12-06-2006 07:38 AM
I take it back - it seems that it does. I just now need to understand what this config is doing so I know what I am implementing. Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide