Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Deny https access from PIX 515

Posted on 2006-10-25
5
270 Views
Last Modified: 2010-05-18
Hello Everyone,

I am trying to deny access to the following website:

https://tools.razorthought.com/cgi-bin/surfsafe/nph-proxy.cgi/010110A/687474702s636s6q6q656r742r6q7973706163652r636s6q2s696r6465782r63666q3s66757365616374696s6r3q757365722r76696577436s6q6q656r747326667269656r6449443q3833323330363239264q79546s6o656r3q363231653

using my PIX 515 Firewall, can anyone help me?  It would be best if I could stop all workstations in the district from accessing HTTPS sites, I'll just create an access list giving my Admins static ips access to HTTPS.
 
0
Comment
Question by:eptexascrazy
  • 3
  • 2
5 Comments
 
LVL 7

Expert Comment

by:instillmotion
ID: 17807827
access-lists are linear so start by permit:
access-list outbound permit tcp host youradminsstaticip any eq https

access-list outbound deny tcp any any eq https
Don't forget:
access-list outbound permit ip any any
If you don't put this you will deny everything outbound by virtue of doing the https deny because by default the assumption after that is deny all

Apply access-list:
access-group outbound in interface inside
0
 

Author Comment

by:eptexascrazy
ID: 17808071
I can still get through to the website I am trying to block and when I applied the access-group outbound in interface inside, it blocked everything (including our homepage) but did not block the website I WANT to block.

What is it with this website?
0
 
LVL 7

Expert Comment

by:instillmotion
ID: 17809141
Please post your config. My guess is it's the order the access-list is being applied. Don't forget access-lists are linear, starting from top to bottom.
0
 

Author Comment

by:eptexascrazy
ID: 17814355
access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https
access-list outbound deny tcp any any eq https

0
 
LVL 7

Accepted Solution

by:
instillmotion earned 125 total points
ID: 17814513
if you didn't put at the following at bottom of the access-list that explains why everything got blocked (as I sated in the previous post)
"access-list outbound permit ip any any"

in your inbound access-list:

access-list outbound permit tcp 10.1.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.2.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.3.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.6.4.0 255.255.255.0 any eq https
access-list outbound permit tcp 10.4.4.0 255.255.255.0 any eq https

You are allowing all clients on those subnets to use https. When you say it didn't block the website you want to block, from what ip were you accessing the website from? if it's part of that block, access is allowed.
are those 5 class C blocks your admin ips?


0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question