[Last Call] Learn how to a build a cloud-first strategyRegister Now


How can I block all Hotmail and other such messenger services with our Cisco Router?

Posted on 2005-05-12
Medium Priority
Last Modified: 2013-11-16
We have a couple of people that spend a good portion of the day shooting the breeze with Hotmail (and others probably). We have a Cisco 1700 Router with the Pix(?) firewall card in it. We are a windows 2000 AD domain environment.
Question by:dwielgosz
  • 4
  • 3
LVL 79

Expert Comment

ID: 13996053
OK, another attempt to use technology to solve personnel behavioral issues....
Couple of things. Since you are AD and obviously have your local clients point to your own dns server, try simply adding a bogus dns entry for *.hotmail.com to one of your own web servers with a special web page that says something like "Get back to work, loafer!"

If you can find the IP addresses of all the hotmail servers, you can create access-lists on the router to block all access to those IP addresses.

If you have an acceptible use policy that prohibits the use of hotmail during work hours, everyone has read, understood and signed it, then reprimand or fire someone for violating their privileges.

If you have ISA /Proxy server, you can monitor which users violate the policy.

Else you can use some other content filtering appliance like the iPrism http://www.stbernard.com/iprism
or WebSense http://www.websense.com  or surfcontrol  http://www.surfcontrol.com

On a technical note, there is no PIX firewall "card" that goes into a 1700 router. There is a firewall "feature set" of the IOS that will run on a 1700 giving it some of the capabilities of a PIX firewall.


Author Comment

ID: 13996263
f you have an acceptible use policy that prohibits the use of hotmail during work hours, everyone has read, understood and signed it, then reprimand or fire someone for violating their privileges.

if the upper management had the gumption to go through the bother of finding someone to replace the offending party(s), then this would be the obvious solution.

We paid extra for a pix card add in for that router and I may be mistaken about it being used for a firewall feature, although the IOS definately has firewall software features, our T1 line is plugged directly into the card.

How would I associate the DNS record with a webpage? We don't have web servers although I could set up a new website to specifically do that I guess.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 13997340
In your primary dns server, create a primary zone for hotmail.com.
Create A records for www.hotmail.com that points to a local private IP address.
Create your own bogus web site at that IP address, else just leave it alone and everyone will get "page not found" errors only..
I would also create an access-list that prevents access to the following IP addresses:

access-list 110 deny ip any host
access-list 110 deny ip any host
access-list 110 deny ip any host
access-list 110 deny ip any host
access-list 110 permit ip any any

interface Fast 0
 ip access-group 110 in
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 13997455
Exactly what I was hoping to learn. Thank you much.

Author Comment

ID: 13998926
One more thing please. I created a new zone on the DNS server and with it a new host(A) record..forward only. I couldn't create the A record on the same subnet that our AD Domain is on so I created an adjacent (private) subnet and assigned a number from that subnet to the new website that is hosting the suggested webpage. Of course it doesn't work, It spins the iconic microsoft globe for a bit and says that it is unreachable. The webserver that the new website resides on has a dynamic IP that is part of the AD domain subnet, even though the website has this other fictitious IP assigned to it on Port 80. WHEW! Is this workable, or am I doing something half-backwards?
LVL 79

Expert Comment

ID: 13999572
Not sure why you can't just use an ip in the local subnet ( I don't have a win server to test with at the moment)..
But, this adjacent subnet must be known as local by whatever you default gateway is..
I assume your local gateway is the 1700 router. You might need to assign it a secondary IP in the same subnet range

  interface fast 0
   ip address secondary


Author Comment

ID: 13999605
It wouldn't allow the IP on the same subnet during the initial setup, however I was able to edit it later and give it an IP on our subnet afterall.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question