Link to home
Start Free TrialLog in
Avatar of csvchou
csvchouFlag for Hong Kong

asked on

Cisco PIX501 Block URL

I'm looking for solution for URL blocking on my company firewall.
to prevent user from reaching those web and infecting virus.
i.e. http://www.3721.com, http://www.163.com

PIX can intergrate with Websense to do the URL filtering works,
however we are a small company which could not afford to pay 1000pa for Websense
Avatar of Les Moore
Les Moore
Flag of United States of America image

The PIX does not have that capability.
You might look into iPrism that is much less expensive than WebSense http://www.stbernard.com/iprism
Else you can setup a proxy server like Squid or IPCOP with addons (if you're an adventurous Linux guru)

You can manually resolve those websites to IP addresses, and manually add access-list rules to block them by IP address.

ASKER CERTIFIED SOLUTION
Avatar of talphius
talphius
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of csvchou

ASKER

thanks both experts!

hosts file seems to be the only way for our tight budget
I'll edit each workstation hosts file (forturnately, we have only 10 pc for internet access)

C:\Winnt\system32\drivers\etc\hosts

127.0.0.1                   localhost
127.0.0.1                   3721.com
127.0.0.1                   cnsmin.3721.com
127.0.0.1                   bai.baidu.com

Glad I could be of assistance for you csvchou!  Curious though why you graded as a 'B' when it was exactly what you were looking for, and the solution you ended up using?

Avatar of csvchou

ASKER

Dear talphius,

hosts file method only work for those stand alone workstations (not connected to the win2000 server domain)
this method fail on other domain workstation, as DNS service is handled by win2000 server
so far I can only get 1 pc out of 10 fixed.
I've heard something about using ISA to do URL filtering.
we are running Small Business Server 2000 with ISA2000 installed.
Do you have any workaround?

Dear lrmoore,

I apologize I didn't provide enough information on this issue (i.e. PC group size)
we have 10pc connected, 2 are stand alone, 8 connected to the domain network
Thanks for your valueable info. now I know the solution all depend on the group size.




Ahh...you didn't mention that your problem wasn't solved before you accepted the answer....

Host files should affect the local machines as the machine will look locally before hitting the network DNS server.  We use W2K DNS on our network as well....For testing I just entered a 127.0.0.1 record for yahoo.com in my host file and when I attempted to connect or ping I received my localhost as expected.  Is it possible that after you applied the host file there were still cached entries for the domains you were attempting to block?  You can remove these by doing a Start > Run > ipconfig /flushdns

Since you are on a W2K domain, and it sounds like your DNS is managed internally, you can also implement the other solution I recommended in my original post, by implementing empty zone records in DNS for those domains you are trying to block.  Basically all you need to do it the following:

- Open DNS Management and point it to the server managing your DNS
- Right click on Forward Lookup Zones, Click New Zone
- Choose Primary Zone, Click Next
- Zone name would be domain name or subdomain you are trying to block (i.e. xyz.com or abc.xyz.com)
- Accept default (Allow only secure dynamic updates), Click Next
- Click finish

Basically any host on your network that uses the DNS server will get back an empty answer for that domain when it attempts to do lookups.  You can verify this by going to a workstation and running a 'nslookup <domainname>' (be sure you flush dns on that machine first).  The advantage of using it at the server level is that theres only one place to manage these settings, and you dont have to push them out to machines.  

We currently have the below in ours:
aim.aol.com
gator.com
hotbar.com
icq.com
login.oscar.aol.com
messenger.hotmail.com
messenger.yahoo.com
msg.yahoo.com
scs.yahoo.com
weatherbug.com
webshots.com

Let me know if you need any further assistance.
Avatar of csvchou

ASKER

Dear talphius,

It works!!!!! My problem is solved.
Thanks for your detail working guide.
It is my 1st time using experts-exchange, I did it by mistake.
It should be a grade 'A' answer.
How can I change the grade?
Welcome to EE!  I'm sure you'll find the site to be an excellent resource for information, and I would encourage you take some time to look through the content here.  As for your specific question, I'm glad I could help! :)

Regarding the grade change, you can post a message in the Community Support area, stating exactly what you want done.  Be sure to refer to this question #(Q_21178503) in your message.

https://www.experts-exchange.com/Community_Support/