Block user access to websites using the ip addresses of the websites with PIX 515E

Block user access to websites using the ip addresses of the websites with PIX 515E
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Block user access to websites using the ip addresses of the websites with PIX 515E mcterborg 06-06-2006
Posted by on June 6, 2006, 10:10 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I know there is probably a simple answer to this question, but I cannot
find the answer anywhere. I've tried a couple of different things, but
none seem to work.

I know that I can't simply block a website unless I have websense, but
websense is not needed for what I am doing. How do I block my users
from visiting a website using its IP address using the PIX 515E?

Thanks in advance for your time and help!


Posted by Walter Roberson on June 6, 2006, 2:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>I know that I can't simply block a website unless I have websense, but
>websense is not needed for what I am doing. How do I block my users
>from visiting a website using its IP address using the PIX 515E?

For future reference: More PIX people hang around in comp.dcom.sys.cisco .

To block your users from visiting a site:

# might as well block the RFC1918 private IPs
access-list In2Out deny ip any 10.0.0.0 255.0.0.0
access-list In2Out deny ip any 172.16.0.0 255.240.0.0
access-list In2Out deny ip any 192.168.0.0 255.255.0.0
# block the Zero Configuration range
access-list In2Out deny ip any 169.254.0.0 255.255.0.0
# list any other restrictions you want
access-list In2Out deny tcp any host WEBSITEIP
# end by permitting everything else
access-list In2Out permit ip any any
# now activate the control
access-group In2Out in interface inside


For improved security, instead of permit ip "any", only
permit your known internal IP addresses, such as

access-list In2Out permit ip 192.168.42.0 255.255.255.0 any

That way, if something inside starts forging packets with a different
IP address range (e.g., part of a DDoS attack) then your PIX will block
the packets before they get out to the network. This will also have the
benefit of blocking outgoing traffic from machines which have managed to
configure themselves with the Zero Configuration (169.254.*.*) address
range.

Similar ThreadsPosted
Firewall/Router that blocks access to all websites except those specified October 20, 2005, 6:27 pm
Microsoft websites are inaccessible January 2, 2007, 2:47 pm
Major International Transport Hub Censors Political Websites August 4, 2008, 3:30 pm
i am unable to connect yahoo & msn messenger but can browse the websites through browser April 7, 2006, 3:05 pm
Question on ZoneAlarm vs. a single server hosting multiple websites July 14, 2006, 8:44 am
Unable to block IP addresses with hosts file December 15, 2004, 5:25 pm
Restrict access to US ip addresses only May 14, 2007, 2:28 pm
Block Internet Access with Win2K NAT or ICS December 23, 2004, 5:38 am
Firewall Settings to Block Messenger Access November 9, 2004, 2:02 pm
Block internet access for apps that use random ports September 12, 2007, 10:48 am

The site map in XML format XML site map

Contact Us | Privacy Policy