We help IT Professionals succeed at work.

Deny https access from PIX 515

Medium Priority
324 Views
Last Modified: 2010-05-18
Hello Everyone,

I am trying to deny access to the following website:

https://tools.razorthought.com/cgi-bin/surfsafe/nph-proxy.cgi/010110A/687474702s636s6q6q656r742r6q7973706163652r636s6q2s696r6465782r63666q3s66757365616374696s6r3q757365722r76696577436s6q6q656r747326667269656r6449443q3833323330363239264q79546s6o656r3q363231653

using my PIX 515 Firewall, can anyone help me?  It would be best if I could stop all workstations in the district from accessing HTTPS sites, I'll just create an access list giving my Admins static ips access to HTTPS.
 
Comment
Watch Question

Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
access-lists are linear so start by permit:
access-list outbound permit tcp host youradminsstaticip any eq https

access-list outbound deny tcp any any eq https
Don't forget:
access-list outbound permit ip any any
If you don't put this you will deny everything outbound by virtue of doing the https deny because by default the assumption after that is deny all

Apply access-list:
access-group outbound in interface inside

Author

Commented:
I can still get through to the website I am trying to block and when I applied the access-group outbound in interface inside, it blocked everything (including our homepage) but did not block the website I WANT to block.

What is it with this website?
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
Please post your config. My guess is it's the order the access-list is being applied. Don't forget access-lists are linear, starting from top to bottom.

Author

Commented:
access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https
access-list outbound deny tcp any any eq https

Network Security Engineer
CERTIFIED EXPERT
Commented:
if you didn't put at the following at bottom of the access-list that explains why everything got blocked (as I sated in the previous post)
"access-list outbound permit ip any any"

in your inbound access-list:

access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https

You are allowing all clients on those subnets to use https. When you say it didn't block the website you want to block, from what ip were you accessing the website from? if it's part of that block, access is allowed.
are those 5 class C blocks your admin ips?


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.