Cisco PIX501 Block URL

I'm looking for solution for URL blocking on my company firewall.
to prevent user from reaching those web and infecting virus.

PIX can intergrate with Websense to do the URL filtering works,
however we are a small company which could not afford to pay 1000pa for Websense
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The PIX does not have that capability.
You might look into iPrism that is much less expensive than WebSense
Else you can setup a proxy server like Squid or IPCOP with addons (if you're an adventurous Linux guru)

You can manually resolve those websites to IP addresses, and manually add access-list rules to block them by IP address.

Another option is to do this outside of the firewall through either host files on each PC, or if you manage your DNS internally, you can add an empty zone for the domains so that clients will never be able to resolve them to an IP.  

We've found this works better for websites that round-robin their domains (i.e., etc etc), as in order to add these to the ACL's in the PIX you'd need to know all of the IP's that could possibly be passed off by DNS.  For sites that are constantly changing, this could be a very frequent and time consuming task.  Admittedly there are ways to get around it, but it does block it for the "average" user.    Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csvchouAuthor Commented:
thanks both experts!

hosts file seems to be the only way for our tight budget
I'll edit each workstation hosts file (forturnately, we have only 10 pc for internet access)

C:\Winnt\system32\drivers\etc\hosts                   localhost         

What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Glad I could be of assistance for you csvchou!  Curious though why you graded as a 'B' when it was exactly what you were looking for, and the solution you ended up using?

csvchouAuthor Commented:
Dear talphius,

hosts file method only work for those stand alone workstations (not connected to the win2000 server domain)
this method fail on other domain workstation, as DNS service is handled by win2000 server
so far I can only get 1 pc out of 10 fixed.
I've heard something about using ISA to do URL filtering.
we are running Small Business Server 2000 with ISA2000 installed.
Do you have any workaround?

Dear lrmoore,

I apologize I didn't provide enough information on this issue (i.e. PC group size)
we have 10pc connected, 2 are stand alone, 8 connected to the domain network
Thanks for your valueable info. now I know the solution all depend on the group size.

talphiusCommented: didn't mention that your problem wasn't solved before you accepted the answer....

Host files should affect the local machines as the machine will look locally before hitting the network DNS server.  We use W2K DNS on our network as well....For testing I just entered a record for in my host file and when I attempted to connect or ping I received my localhost as expected.  Is it possible that after you applied the host file there were still cached entries for the domains you were attempting to block?  You can remove these by doing a Start > Run > ipconfig /flushdns

Since you are on a W2K domain, and it sounds like your DNS is managed internally, you can also implement the other solution I recommended in my original post, by implementing empty zone records in DNS for those domains you are trying to block.  Basically all you need to do it the following:

- Open DNS Management and point it to the server managing your DNS
- Right click on Forward Lookup Zones, Click New Zone
- Choose Primary Zone, Click Next
- Zone name would be domain name or subdomain you are trying to block (i.e. or
- Accept default (Allow only secure dynamic updates), Click Next
- Click finish

Basically any host on your network that uses the DNS server will get back an empty answer for that domain when it attempts to do lookups.  You can verify this by going to a workstation and running a 'nslookup <domainname>' (be sure you flush dns on that machine first).  The advantage of using it at the server level is that theres only one place to manage these settings, and you dont have to push them out to machines.  

We currently have the below in ours:

Let me know if you need any further assistance.
csvchouAuthor Commented:
Dear talphius,

It works!!!!! My problem is solved.
Thanks for your detail working guide.
It is my 1st time using experts-exchange, I did it by mistake.
It should be a grade 'A' answer.
How can I change the grade?
Welcome to EE!  I'm sure you'll find the site to be an excellent resource for information, and I would encourage you take some time to look through the content here.  As for your specific question, I'm glad I could help! :)

Regarding the grade change, you can post a message in the Community Support area, stating exactly what you want done.  Be sure to refer to this question #(Q_21178503) in your message.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.