How to block Facebook, Orkut, Limewire, Kaza

in my office, i want to block these sites through PIX

1 Facebook
2 Orkut
3 LimeWire
4 Kaza


users should not open these types of sites .but Managers should have full access on internet.  


plz guide me in configuring this.
pawanopensourceAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
This should do the trick, except for limewire.
You can also add additional sites as well.

regex domainlist1 "\facebook.\com"
regex domainlist2 "\orkut.\com"

access-list inside_mpc extended deny ip host 10.1.1.4 any
access-list inside_mpc extended deny ip host 10.1.1.5 any
access-list inside_mpc extended deny ip host 10.1.1.6 any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex _default_x-kazaa-network

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside
0
 
janvanderwijkCommented:
I'm not sure, but i remember something like:
Go to configuration mode and run:
access-list 5 deny <ipadres of facebook>


0
 
pawanopensourceAuthor Commented:
suppose this command will block facebook, but what about managers or ceo. they will also not be able to access facebook, i have to give them full access
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
pawanopensourceAuthor Commented:
can i block n allow users using privlege level in pix.
0
 
Ernie BeekExpertCommented:
Not really, privilege levels are for management access within the pix. Blocking happens at the ip level.
What you could do is (and I assume you use DHCP):
-Make reservations for the manager pc's so they always have the same ip
-allow the traffic for those ip's and block the rest.

That should work.
0
 
EdmondadmCommented:
If you only have an ASA and not some kind of Proxy web server such as ISA or Forefront from Microsoft(which you might want to look into), you can't really just block 'users' from getting to certain websites like that.  It does it as has said above by IP.

As ernie said you can certaintly give managers a static IP or a reserved IP and create a rule to 'allow' those connections to facebook and then create a rule for 'deny' underneath that for everyone else.  

Honestly though the best way to get done what you're talking about it is to invest into a Proxy server to limit access to certain areas of the internet.
0
 
pawanopensourceAuthor Commented:
Thanks Erniebeek & Edmondamn,

yes we r using dhcp in our office.

ips which i want to block yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.1
10.1.1.2
10.1.1.3


ips which i want to allow yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.4
10.1.1.5
10.1.1.6


friends plz guide me in acess-list to achieving this.
0
 
pawanopensourceAuthor Commented:
can it be achieved using class-map, if yes than plz guide me friends.
0
 
Ernie BeekExpertCommented:
You might think: but the host for which I want to allow it are denied in the access list!?
That is correct, the access list is used to determine what traffic must be submitted to the blocking policy. And we don't want to have those three blocked. So it is to deny those hosts to go through the policy (i.e. no blocking).
0
 
pawanopensourceAuthor Commented:
Hi Friends,

i got a very good url in which content filtering is explained.  
http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

i need to understand in deep so i need guidance from u experts. can u plz explain me the points which are covered in this url.

1 Traffic inspection classes.

2 Security policy

3 Security zones

4 Interfaces are assigned to the Inside and Outside zones

5 Content filtering pattern definition syntax

6 Sample pattern matching configuration

7 Sample filtering classes

8 Sample URL filtering policy

9 Applying the URL filtering policy to a zone-based firewall security policy

10 Sample local URL filtering parameters

thx a lot for ur continuous support n guidance.
0
 
Ernie BeekExpertCommented:
One thing, a PIX is not running IOS. It has an OS of it's own. So this isn't something you can apply to a PIX (or an ASA for that matter).
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.