Deny https access from PIX 515

Hello Everyone,

I am trying to deny access to the following website:

https://tools.razorthought.com/cgi-bin/surfsafe/nph-proxy.cgi/010110A/687474702s636s6q6q656r742r6q7973706163652r636s6q2s696r6465782r63666q3s66757365616374696s6r3q757365722r76696577436s6q6q656r747326667269656r6449443q3833323330363239264q79546s6o656r3q363231653

using my PIX 515 Firewall, can anyone help me?  It would be best if I could stop all workstations in the district from accessing HTTPS sites, I'll just create an access list giving my Admins static ips access to HTTPS.
 
eptexascrazyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Yves AccadConnect With a Mentor Network Security EngineerCommented:
if you didn't put at the following at bottom of the access-list that explains why everything got blocked (as I sated in the previous post)
"access-list outbound permit ip any any"

in your inbound access-list:

access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https

You are allowing all clients on those subnets to use https. When you say it didn't block the website you want to block, from what ip were you accessing the website from? if it's part of that block, access is allowed.
are those 5 class C blocks your admin ips?


0
 
Yves AccadNetwork Security EngineerCommented:
access-lists are linear so start by permit:
access-list outbound permit tcp host youradminsstaticip any eq https

access-list outbound deny tcp any any eq https
Don't forget:
access-list outbound permit ip any any
If you don't put this you will deny everything outbound by virtue of doing the https deny because by default the assumption after that is deny all

Apply access-list:
access-group outbound in interface inside
0
 
eptexascrazyAuthor Commented:
I can still get through to the website I am trying to block and when I applied the access-group outbound in interface inside, it blocked everything (including our homepage) but did not block the website I WANT to block.

What is it with this website?
0
 
Yves AccadNetwork Security EngineerCommented:
Please post your config. My guess is it's the order the access-list is being applied. Don't forget access-lists are linear, starting from top to bottom.
0
 
eptexascrazyAuthor Commented:
access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https
access-list outbound deny tcp any any eq https

0
All Courses

From novice to tech pro — start learning today.