Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can a PIX block ALL http traffic with one or two exceptions? 3

Status
Not open for further replies.

CeeEyeBee

Vendor
Mar 8, 2005
3
GB
I want to set up a group of PCs on a PIX which have no access to the internet at all except to obtain their anti-virus updates.

Is it possible to block ALL access except for (for example) "
I've got a feeling I can't use a URL in an allow or deny statement and I'll have to "block all" and "allow the IP address of the site".

Am I right?
 
Yup, you're essentially right.
Unless the data the comes back from sophos always comes back on a certain port(probably doesn't, as its an http request).

Don't shoot the messenger.
 
Hi,
In order to accomplish what you described, you need third
party applications such as Websense or N2h2 for that.

The other alternative is to throw away the Pix firewall
and put in checkpoint. Cisco Pix firewall is overrated.

wirelesspeap
CCIE Security
 
Give the group of PC's static addresses (preferably ones that you can use summarization on) so you don't have too many statements - so if you had 192.168.1.1-192.168.1.14 use a /29
[ip block] would be 192.168.1.0 255.255.255.240
es-latest.sophos.com resolves to 213.86.172.150 for now.

Add this to ACL to your inside interface

access-list acl-outbound permit tcp [ip block] host 213.86.172.150 eq 80
access-list acl-outbound deny ip [ip block] any
access-list acl-outbound permit ip any any

access-group acl-outbound in interface inside

You might want to add port 443 for SSL as well or just allow everything out to es-latest.sophos.com. I don't think they can do much mischief and it saves a bit of troubleshooting if it doesn't work. You also need to be sure that you keep up with any changes in DNS for es-latest.sophos.com. They might also have round-robin DNS setup - you so might have to add a few more destination IPs.


Brent
Systems Engineer / Consultant
CCNP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top