[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1458
  • Last Modified:

Cisco PIX501 Block URL

I'm looking for solution for URL blocking on my company firewall.
to prevent user from reaching those web and infecting virus.
i.e. http://www.3721.com, http://www.163.com

PIX can intergrate with Websense to do the URL filtering works,
however we are a small company which could not afford to pay 1000pa for Websense
  • 4
  • 3
1 Solution
The PIX does not have that capability.
You might look into iPrism that is much less expensive than WebSense http://www.stbernard.com/iprism
Else you can setup a proxy server like Squid or IPCOP with addons (if you're an adventurous Linux guru)

You can manually resolve those websites to IP addresses, and manually add access-list rules to block them by IP address.

Another option is to do this outside of the firewall through either host files on each PC, or if you manage your DNS internally, you can add an empty zone for the domains so that clients will never be able to resolve them to an IP.  

We've found this works better for websites that round-robin their domains (i.e. messenger.yahoo.com, etc etc), as in order to add these to the ACL's in the PIX you'd need to know all of the IP's that could possibly be passed off by DNS.  For sites that are constantly changing, this could be a very frequent and time consuming task.  Admittedly there are ways to get around it, but it does block it for the "average" user.    Hope this helps!
csvchouAuthor Commented:
thanks both experts!

hosts file seems to be the only way for our tight budget
I'll edit each workstation hosts file (forturnately, we have only 10 pc for internet access)

C:\Winnt\system32\drivers\etc\hosts                   localhost                   3721.com                   cnsmin.3721.com                   bai.baidu.com

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Glad I could be of assistance for you csvchou!  Curious though why you graded as a 'B' when it was exactly what you were looking for, and the solution you ended up using?

csvchouAuthor Commented:
Dear talphius,

hosts file method only work for those stand alone workstations (not connected to the win2000 server domain)
this method fail on other domain workstation, as DNS service is handled by win2000 server
so far I can only get 1 pc out of 10 fixed.
I've heard something about using ISA to do URL filtering.
we are running Small Business Server 2000 with ISA2000 installed.
Do you have any workaround?

Dear lrmoore,

I apologize I didn't provide enough information on this issue (i.e. PC group size)
we have 10pc connected, 2 are stand alone, 8 connected to the domain network
Thanks for your valueable info. now I know the solution all depend on the group size.

Ahh...you didn't mention that your problem wasn't solved before you accepted the answer....

Host files should affect the local machines as the machine will look locally before hitting the network DNS server.  We use W2K DNS on our network as well....For testing I just entered a record for yahoo.com in my host file and when I attempted to connect or ping I received my localhost as expected.  Is it possible that after you applied the host file there were still cached entries for the domains you were attempting to block?  You can remove these by doing a Start > Run > ipconfig /flushdns

Since you are on a W2K domain, and it sounds like your DNS is managed internally, you can also implement the other solution I recommended in my original post, by implementing empty zone records in DNS for those domains you are trying to block.  Basically all you need to do it the following:

- Open DNS Management and point it to the server managing your DNS
- Right click on Forward Lookup Zones, Click New Zone
- Choose Primary Zone, Click Next
- Zone name would be domain name or subdomain you are trying to block (i.e. xyz.com or abc.xyz.com)
- Accept default (Allow only secure dynamic updates), Click Next
- Click finish

Basically any host on your network that uses the DNS server will get back an empty answer for that domain when it attempts to do lookups.  You can verify this by going to a workstation and running a 'nslookup <domainname>' (be sure you flush dns on that machine first).  The advantage of using it at the server level is that theres only one place to manage these settings, and you dont have to push them out to machines.  

We currently have the below in ours:

Let me know if you need any further assistance.
csvchouAuthor Commented:
Dear talphius,

It works!!!!! My problem is solved.
Thanks for your detail working guide.
It is my 1st time using experts-exchange, I did it by mistake.
It should be a grade 'A' answer.
How can I change the grade?
Welcome to EE!  I'm sure you'll find the site to be an excellent resource for information, and I would encourage you take some time to look through the content here.  As for your specific question, I'm glad I could help! :)

Regarding the grade change, you can post a message in the Community Support area, stating exactly what you want done.  Be sure to refer to this question #(Q_21178503) in your message.


Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now