?
Solved

How to block Facebook, Orkut, Limewire, Kaza

Posted on 2011-03-11
13
Medium Priority
?
1,041 Views
Last Modified: 2012-05-11
in my office, i want to block these sites through PIX

1 Facebook
2 Orkut
3 LimeWire
4 Kaza


users should not open these types of sites .but Managers should have full access on internet.  


plz guide me in configuring this.
0
Comment
Question by:pawanopensource
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 1

Expert Comment

by:janvanderwijk
ID: 35109428
I'm not sure, but i remember something like:
Go to configuration mode and run:
access-list 5 deny <ipadres of facebook>


0
 

Author Comment

by:pawanopensource
ID: 35109506
suppose this command will block facebook, but what about managers or ceo. they will also not be able to access facebook, i have to give them full access
0
 

Author Comment

by:pawanopensource
ID: 35109590
can i block n allow users using privlege level in pix.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35109622
Not really, privilege levels are for management access within the pix. Blocking happens at the ip level.
What you could do is (and I assume you use DHCP):
-Make reservations for the manager pc's so they always have the same ip
-allow the traffic for those ip's and block the rest.

That should work.
0
 

Expert Comment

by:Edmondadm
ID: 35111773
If you only have an ASA and not some kind of Proxy web server such as ISA or Forefront from Microsoft(which you might want to look into), you can't really just block 'users' from getting to certain websites like that.  It does it as has said above by IP.

As ernie said you can certaintly give managers a static IP or a reserved IP and create a rule to 'allow' those connections to facebook and then create a rule for 'deny' underneath that for everyone else.  

Honestly though the best way to get done what you're talking about it is to invest into a Proxy server to limit access to certain areas of the internet.
0
 

Author Comment

by:pawanopensource
ID: 35114765
Thanks Erniebeek & Edmondamn,

yes we r using dhcp in our office.

ips which i want to block yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.1
10.1.1.2
10.1.1.3


ips which i want to allow yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.4
10.1.1.5
10.1.1.6


friends plz guide me in acess-list to achieving this.
0
 

Author Comment

by:pawanopensource
ID: 35114994
can it be achieved using class-map, if yes than plz guide me friends.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35121294
This should do the trick, except for limewire.
You can also add additional sites as well.

regex domainlist1 "\facebook.\com"
regex domainlist2 "\orkut.\com"

access-list inside_mpc extended deny ip host 10.1.1.4 any
access-list inside_mpc extended deny ip host 10.1.1.5 any
access-list inside_mpc extended deny ip host 10.1.1.6 any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex _default_x-kazaa-network

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35121314
You might think: but the host for which I want to allow it are denied in the access list!?
That is correct, the access list is used to determine what traffic must be submitted to the blocking policy. And we don't want to have those three blocked. So it is to deny those hosts to go through the policy (i.e. no blocking).
0
 

Author Comment

by:pawanopensource
ID: 35122199
Hi Friends,

i got a very good url in which content filtering is explained.  
http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

i need to understand in deep so i need guidance from u experts. can u plz explain me the points which are covered in this url.

1 Traffic inspection classes.

2 Security policy

3 Security zones

4 Interfaces are assigned to the Inside and Outside zones

5 Content filtering pattern definition syntax

6 Sample pattern matching configuration

7 Sample filtering classes

8 Sample URL filtering policy

9 Applying the URL filtering policy to a zone-based firewall security policy

10 Sample local URL filtering parameters

thx a lot for ur continuous support n guidance.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35122223
One thing, a PIX is not running IOS. It has an OS of it's own. So this isn't something you can apply to a PIX (or an ASA for that matter).
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35360947
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question