Cisco PIX501 Block URL

Posted on 2004-10-22
Last Modified: 2013-11-16
I'm looking for solution for URL blocking on my company firewall.
to prevent user from reaching those web and infecting virus.

PIX can intergrate with Websense to do the URL filtering works,
however we are a small company which could not afford to pay 1000pa for Websense
Question by:csvchou
    LVL 79

    Expert Comment

    The PIX does not have that capability.
    You might look into iPrism that is much less expensive than WebSense
    Else you can setup a proxy server like Squid or IPCOP with addons (if you're an adventurous Linux guru)

    You can manually resolve those websites to IP addresses, and manually add access-list rules to block them by IP address.

    LVL 5

    Accepted Solution

    Another option is to do this outside of the firewall through either host files on each PC, or if you manage your DNS internally, you can add an empty zone for the domains so that clients will never be able to resolve them to an IP.  

    We've found this works better for websites that round-robin their domains (i.e., etc etc), as in order to add these to the ACL's in the PIX you'd need to know all of the IP's that could possibly be passed off by DNS.  For sites that are constantly changing, this could be a very frequent and time consuming task.  Admittedly there are ways to get around it, but it does block it for the "average" user.    Hope this helps!

    Author Comment

    thanks both experts!

    hosts file seems to be the only way for our tight budget
    I'll edit each workstation hosts file (forturnately, we have only 10 pc for internet access)

    C:\Winnt\system32\drivers\etc\hosts                   localhost                 

    LVL 5

    Expert Comment

    Glad I could be of assistance for you csvchou!  Curious though why you graded as a 'B' when it was exactly what you were looking for, and the solution you ended up using?


    Author Comment

    Dear talphius,

    hosts file method only work for those stand alone workstations (not connected to the win2000 server domain)
    this method fail on other domain workstation, as DNS service is handled by win2000 server
    so far I can only get 1 pc out of 10 fixed.
    I've heard something about using ISA to do URL filtering.
    we are running Small Business Server 2000 with ISA2000 installed.
    Do you have any workaround?

    Dear lrmoore,

    I apologize I didn't provide enough information on this issue (i.e. PC group size)
    we have 10pc connected, 2 are stand alone, 8 connected to the domain network
    Thanks for your valueable info. now I know the solution all depend on the group size.

    LVL 5

    Expert Comment

    by:talphius didn't mention that your problem wasn't solved before you accepted the answer....

    Host files should affect the local machines as the machine will look locally before hitting the network DNS server.  We use W2K DNS on our network as well....For testing I just entered a record for in my host file and when I attempted to connect or ping I received my localhost as expected.  Is it possible that after you applied the host file there were still cached entries for the domains you were attempting to block?  You can remove these by doing a Start > Run > ipconfig /flushdns

    Since you are on a W2K domain, and it sounds like your DNS is managed internally, you can also implement the other solution I recommended in my original post, by implementing empty zone records in DNS for those domains you are trying to block.  Basically all you need to do it the following:

    - Open DNS Management and point it to the server managing your DNS
    - Right click on Forward Lookup Zones, Click New Zone
    - Choose Primary Zone, Click Next
    - Zone name would be domain name or subdomain you are trying to block (i.e. or
    - Accept default (Allow only secure dynamic updates), Click Next
    - Click finish

    Basically any host on your network that uses the DNS server will get back an empty answer for that domain when it attempts to do lookups.  You can verify this by going to a workstation and running a 'nslookup <domainname>' (be sure you flush dns on that machine first).  The advantage of using it at the server level is that theres only one place to manage these settings, and you dont have to push them out to machines.  

    We currently have the below in ours:

    Let me know if you need any further assistance.

    Author Comment

    Dear talphius,

    It works!!!!! My problem is solved.
    Thanks for your detail working guide.
    It is my 1st time using experts-exchange, I did it by mistake.
    It should be a grade 'A' answer.
    How can I change the grade?
    LVL 5

    Expert Comment

    Welcome to EE!  I'm sure you'll find the site to be an excellent resource for information, and I would encourage you take some time to look through the content here.  As for your specific question, I'm glad I could help! :)

    Regarding the grade change, you can post a message in the Community Support area, stating exactly what you want done.  Be sure to refer to this question #(Q_21178503) in your message.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now