Solved

How to block Facebook, Orkut, Limewire, Kaza

Posted on 2011-03-11
13
1,020 Views
Last Modified: 2012-05-11
in my office, i want to block these sites through PIX

1 Facebook
2 Orkut
3 LimeWire
4 Kaza


users should not open these types of sites .but Managers should have full access on internet.  


plz guide me in configuring this.
0
Comment
Question by:pawanopensource
13 Comments
 
LVL 1

Expert Comment

by:janvanderwijk
Comment Utility
I'm not sure, but i remember something like:
Go to configuration mode and run:
access-list 5 deny <ipadres of facebook>


0
 

Author Comment

by:pawanopensource
Comment Utility
suppose this command will block facebook, but what about managers or ceo. they will also not be able to access facebook, i have to give them full access
0
 

Author Comment

by:pawanopensource
Comment Utility
can i block n allow users using privlege level in pix.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Not really, privilege levels are for management access within the pix. Blocking happens at the ip level.
What you could do is (and I assume you use DHCP):
-Make reservations for the manager pc's so they always have the same ip
-allow the traffic for those ip's and block the rest.

That should work.
0
 

Expert Comment

by:Edmondadm
Comment Utility
If you only have an ASA and not some kind of Proxy web server such as ISA or Forefront from Microsoft(which you might want to look into), you can't really just block 'users' from getting to certain websites like that.  It does it as has said above by IP.

As ernie said you can certaintly give managers a static IP or a reserved IP and create a rule to 'allow' those connections to facebook and then create a rule for 'deny' underneath that for everyone else.  

Honestly though the best way to get done what you're talking about it is to invest into a Proxy server to limit access to certain areas of the internet.
0
 

Author Comment

by:pawanopensource
Comment Utility
Thanks Erniebeek & Edmondamn,

yes we r using dhcp in our office.

ips which i want to block yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.1
10.1.1.2
10.1.1.3


ips which i want to allow yahoo,facebook,linkedin,orkut,kaza,limewire

10.1.1.4
10.1.1.5
10.1.1.6


friends plz guide me in acess-list to achieving this.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:pawanopensource
Comment Utility
can it be achieved using class-map, if yes than plz guide me friends.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
This should do the trick, except for limewire.
You can also add additional sites as well.

regex domainlist1 "\facebook.\com"
regex domainlist2 "\orkut.\com"

access-list inside_mpc extended deny ip host 10.1.1.4 any
access-list inside_mpc extended deny ip host 10.1.1.5 any
access-list inside_mpc extended deny ip host 10.1.1.6 any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex _default_x-kazaa-network

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
service-policy inside-policy interface inside
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You might think: but the host for which I want to allow it are denied in the access list!?
That is correct, the access list is used to determine what traffic must be submitted to the blocking policy. And we don't want to have those three blocked. So it is to deny those hosts to go through the policy (i.e. no blocking).
0
 

Author Comment

by:pawanopensource
Comment Utility
Hi Friends,

i got a very good url in which content filtering is explained.  
http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

i need to understand in deep so i need guidance from u experts. can u plz explain me the points which are covered in this url.

1 Traffic inspection classes.

2 Security policy

3 Security zones

4 Interfaces are assigned to the Inside and Outside zones

5 Content filtering pattern definition syntax

6 Sample pattern matching configuration

7 Sample filtering classes

8 Sample URL filtering policy

9 Applying the URL filtering policy to a zone-based firewall security policy

10 Sample local URL filtering parameters

thx a lot for ur continuous support n guidance.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
One thing, a PIX is not running IOS. It has an OS of it's own. So this isn't something you can apply to a PIX (or an ASA for that matter).
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now