How can I block a website using our PIX515? 1

[skhoury]

Hello all,

I have an IP of a website that upper management would like us to stop our users from surfing to.

How can I implement this block using our PIX 515 (running 7.0)?

Do I need to build an access-list and attack it to the inside interface rather than the outside interface?

Any help with this is greatly appreciated.

Thanks!

Sam

 

[Supergrrover]

You can do either
If you have an outside ACL, just add this line to the top somewhere
access-list Outside-in-ACL deny ip host [offending IP] host [ExternalIP]

Or on the inside interface
access-list Inside-out-ACL deny ip any host [offending IP]
access-list Inside-out-ACL permit ip any any

access-group Inside-out-ACL in interface inside

You can expand the inside ACL to permit any traffic that you explicitly want to allow out (I recommend this) rather than allowing everything out.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[skhoury]

hmm, ok so does this ACL look correct with respect to the outside acl? :

access-list from_outside_coming_in deny ip host 192.168.1.0 255.255.255.0 host 123.456.789.910

Thanks for the help,

Sam

 

[Supergrrover]

If 192.168.1.0 is the IP you want blocked and 123.456.789.910 is your external PIX ip, then yes except you don't need a mask if you put the "host" keyword.

access-list from_outside_coming_in deny ip host 192.168.1.0 host 123.456.789.910

Make sure the this is need the top. The process order is top down, and if it finds a match in the ACL it looks no further.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[skhoury]

Ok - so what I did instead was create an ACL for the inside interface - I liked that method more as it seemes to enable us more flexiblity and separation from the outside lists....and it worked!

Thanks for the great tip!

Sam