Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Filter HTTPS on PIX

Status
Not open for further replies.
lance43

lance43

MIS
Feb 19, 2003
1
US
We use Websense as a URL filter server but it only filters port 80 and prompts users with ID and password, recently I have found out that some users are using HTTPS to go to some sites such as and surf the web taht way. I have tried to filter https on PIX using the following command:

filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

but it is not working, any suggestions?
 
Sort by date Sort by votes
access-list letmein permit tcp <open port 1>
access-list letmein permit tcp <open port 2>
access-list letmein permit tcp <open port 3>
access-list letmein permit tcp <open port 4>
access-list letmein deny tcp any any eq 443
access-group letmein in interface outside

or

access-list letmein permit tcp <open port 1>
access-list letmein permit tcp <open port 2>
access-list letmein permit tcp <open port 3>
access-list letmein permit tcp <open port 4>
access-list letmein deny tcp host <megaproxy's ip address or range> any eq 443
access-group letmein in interface outside

hope this helps,
-gbiello
 
Upvote 0 Downvote
hi

i really never tried this site &quot; &quot; but if u see your users from the inside interface using https to go out , u can filter it by :

access-list inside_access_in deny tcp any any eq 443
access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside

( if u allready have access-list on the inside interface - just add the first row, if not u must use all of them because there is an &quot;invisible deny all&quot; at the end of ACL so once u have no permit statement - all traffic is denied)
 
Upvote 0 Downvote
If that is the only site that you are really wanting to blcok currently, you can use ACLs to block people from going to that specific site. That way, in case there is any legitimate reason some people (CFO, CIO, etc.) go to secure sites, then you won't end up with your butt in a sling explaining why they can't get to their stock sites anymore. Just add an acl to block users from going to that ip or range of ips whatever the case may be. Just a thought.
 
Upvote 0 Downvote
I am using websense too with my PIX, and the filter url 443 command as you used does work for me.

Try to remove the url-server command and the url-cache command and readd them. I noticed when I was implementing it that the cache would stay valid after making changes so my changes weren't working.

I would definately try to get websense working since it would be a management nightmare to track down all the websites IPs and determine whether or not to block those sites.

-Bad Dos
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
732
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
619
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
551
nnaarrnn
nnaarrnn
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
170
PauS0n
PauS0n
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
471
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top