Solved

Deny https access from PIX 515

Posted on 2006-10-25
5
275 Views
Last Modified: 2010-05-18
Hello Everyone,

I am trying to deny access to the following website:

https://tools.razorthought.com/cgi-bin/surfsafe/nph-proxy.cgi/010110A/687474702s636s6q6q656r742r6q7973706163652r636s6q2s696r6465782r63666q3s66757365616374696s6r3q757365722r76696577436s6q6q656r747326667269656r6449443q3833323330363239264q79546s6o656r3q363231653

using my PIX 515 Firewall, can anyone help me?  It would be best if I could stop all workstations in the district from accessing HTTPS sites, I'll just create an access list giving my Admins static ips access to HTTPS.
 
0
Comment
Question by:eptexascrazy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 7

Expert Comment

by:instillmotion
ID: 17807827
access-lists are linear so start by permit:
access-list outbound permit tcp host youradminsstaticip any eq https

access-list outbound deny tcp any any eq https
Don't forget:
access-list outbound permit ip any any
If you don't put this you will deny everything outbound by virtue of doing the https deny because by default the assumption after that is deny all

Apply access-list:
access-group outbound in interface inside
0
 

Author Comment

by:eptexascrazy
ID: 17808071
I can still get through to the website I am trying to block and when I applied the access-group outbound in interface inside, it blocked everything (including our homepage) but did not block the website I WANT to block.

What is it with this website?
0
 
LVL 7

Expert Comment

by:instillmotion
ID: 17809141
Please post your config. My guess is it's the order the access-list is being applied. Don't forget access-lists are linear, starting from top to bottom.
0
 

Author Comment

by:eptexascrazy
ID: 17814355
access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https
access-list outbound deny tcp any any eq https

0
 
LVL 7

Accepted Solution

by:
instillmotion earned 125 total points
ID: 17814513
if you didn't put at the following at bottom of the access-list that explains why everything got blocked (as I sated in the previous post)
"access-list outbound permit ip any any"

in your inbound access-list:

access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https

You are allowing all clients on those subnets to use https. When you say it didn't block the website you want to block, from what ip were you accessing the website from? if it's part of that block, access is allowed.
are those 5 class C blocks your admin ips?


0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question