Solved

How to block Facebook, Orkut, Limewire, Kaza

Posted on 2011-03-11
13
1,035 Views
Last Modified: 2012-05-11
in my office, i want to block these sites through PIX

1 Facebook
2 Orkut
3 LimeWire
4 Kaza


users should not open these types of sites .but Managers should have full access on internet.  


plz guide me in configuring this.
0
Comment
Question by:pawanopensource
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 1

Expert Comment

by:janvanderwijk
ID: 35109428
I'm not sure, but i remember something like:
Go to configuration mode and run:
access-list 5 deny <ipadres of facebook>


0
 

Author Comment

by:pawanopensource
ID: 35109506
suppose this command will block facebook, but what about managers or ceo. they will also not be able to access facebook, i have to give them full access
0
 

Author Comment

by:pawanopensource
ID: 35109590
can i block n allow users using privlege level in pix.
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35109622
Not really, privilege levels are for management access within the pix. Blocking happens at the ip level.
What you could do is (and I assume you use DHCP):
-Make reservations for the manager pc's so they always have the same ip
-allow the traffic for those ip's and block the rest.

That should work.
0
 

Expert Comment

by:Edmondadm
ID: 35111773
If you only have an ASA and not some kind of Proxy web server such as ISA or Forefront from Microsoft(which you might want to look into), you can't really just block 'users' from getting to certain websites like that.  It does it as has said above by IP.

As ernie said you can certaintly give managers a static IP or a reserved IP and create a rule to 'allow' those connections to facebook and then create a rule for 'deny' underneath that for everyone else.  

Honestly though the best way to get done what you're talking about it is to invest into a Proxy server to limit access to certain areas of the internet.
0
 

Author Comment

by:pawanopensource
ID: 35114765
Thanks Erniebeek & Edmondamn,

yes we r using dhcp in our office.

ips which i want to block yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.1
10.1.1.2
10.1.1.3


ips which i want to allow yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.4
10.1.1.5
10.1.1.6


friends plz guide me in acess-list to achieving this.
0
 

Author Comment

by:pawanopensource
ID: 35114994
can it be achieved using class-map, if yes than plz guide me friends.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35121294
This should do the trick, except for limewire.
You can also add additional sites as well.

regex domainlist1 "\facebook.\com"
regex domainlist2 "\orkut.\com"

access-list inside_mpc extended deny ip host 10.1.1.4 any
access-list inside_mpc extended deny ip host 10.1.1.5 any
access-list inside_mpc extended deny ip host 10.1.1.6 any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex _default_x-kazaa-network

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35121314
You might think: but the host for which I want to allow it are denied in the access list!?
That is correct, the access list is used to determine what traffic must be submitted to the blocking policy. And we don't want to have those three blocked. So it is to deny those hosts to go through the policy (i.e. no blocking).
0
 

Author Comment

by:pawanopensource
ID: 35122199
Hi Friends,

i got a very good url in which content filtering is explained.  
http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

i need to understand in deep so i need guidance from u experts. can u plz explain me the points which are covered in this url.

1 Traffic inspection classes.

2 Security policy

3 Security zones

4 Interfaces are assigned to the Inside and Outside zones

5 Content filtering pattern definition syntax

6 Sample pattern matching configuration

7 Sample filtering classes

8 Sample URL filtering policy

9 Applying the URL filtering policy to a zone-based firewall security policy

10 Sample local URL filtering parameters

thx a lot for ur continuous support n guidance.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35122223
One thing, a PIX is not running IOS. It has an OS of it's own. So this isn't something you can apply to a PIX (or an ASA for that matter).
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35360947
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question