Solved

How to block Facebook, Orkut, Limewire, Kaza

Posted on 2011-03-11
13
1,027 Views
Last Modified: 2012-05-11
in my office, i want to block these sites through PIX

1 Facebook
2 Orkut
3 LimeWire
4 Kaza


users should not open these types of sites .but Managers should have full access on internet.  


plz guide me in configuring this.
0
Comment
Question by:pawanopensource
13 Comments
 
LVL 1

Expert Comment

by:janvanderwijk
ID: 35109428
I'm not sure, but i remember something like:
Go to configuration mode and run:
access-list 5 deny <ipadres of facebook>


0
 

Author Comment

by:pawanopensource
ID: 35109506
suppose this command will block facebook, but what about managers or ceo. they will also not be able to access facebook, i have to give them full access
0
 

Author Comment

by:pawanopensource
ID: 35109590
can i block n allow users using privlege level in pix.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35109622
Not really, privilege levels are for management access within the pix. Blocking happens at the ip level.
What you could do is (and I assume you use DHCP):
-Make reservations for the manager pc's so they always have the same ip
-allow the traffic for those ip's and block the rest.

That should work.
0
 

Expert Comment

by:Edmondadm
ID: 35111773
If you only have an ASA and not some kind of Proxy web server such as ISA or Forefront from Microsoft(which you might want to look into), you can't really just block 'users' from getting to certain websites like that.  It does it as has said above by IP.

As ernie said you can certaintly give managers a static IP or a reserved IP and create a rule to 'allow' those connections to facebook and then create a rule for 'deny' underneath that for everyone else.  

Honestly though the best way to get done what you're talking about it is to invest into a Proxy server to limit access to certain areas of the internet.
0
 

Author Comment

by:pawanopensource
ID: 35114765
Thanks Erniebeek & Edmondamn,

yes we r using dhcp in our office.

ips which i want to block yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.1
10.1.1.2
10.1.1.3


ips which i want to allow yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.4
10.1.1.5
10.1.1.6


friends plz guide me in acess-list to achieving this.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pawanopensource
ID: 35114994
can it be achieved using class-map, if yes than plz guide me friends.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35121294
This should do the trick, except for limewire.
You can also add additional sites as well.

regex domainlist1 "\facebook.\com"
regex domainlist2 "\orkut.\com"

access-list inside_mpc extended deny ip host 10.1.1.4 any
access-list inside_mpc extended deny ip host 10.1.1.5 any
access-list inside_mpc extended deny ip host 10.1.1.6 any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex _default_x-kazaa-network

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35121314
You might think: but the host for which I want to allow it are denied in the access list!?
That is correct, the access list is used to determine what traffic must be submitted to the blocking policy. And we don't want to have those three blocked. So it is to deny those hosts to go through the policy (i.e. no blocking).
0
 

Author Comment

by:pawanopensource
ID: 35122199
Hi Friends,

i got a very good url in which content filtering is explained.  
http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

i need to understand in deep so i need guidance from u experts. can u plz explain me the points which are covered in this url.

1 Traffic inspection classes.

2 Security policy

3 Security zones

4 Interfaces are assigned to the Inside and Outside zones

5 Content filtering pattern definition syntax

6 Sample pattern matching configuration

7 Sample filtering classes

8 Sample URL filtering policy

9 Applying the URL filtering policy to a zone-based firewall security policy

10 Sample local URL filtering parameters

thx a lot for ur continuous support n guidance.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35122223
One thing, a PIX is not running IOS. It has an OS of it's own. So this isn't something you can apply to a PIX (or an ASA for that matter).
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35360947
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now