Limiting one host to one website

[br0ck]

i need to limit the citrix server to one web site fedex.com can this be done easly ??

 

[tbissett]

Which direction?

Do you need to limit the traffic going outbound, or do you need to only allow fedex.com to access one host inbound?

 

[br0ck]

I have citrix server that 2 users have IE published to them
the boss only wants them to access fedex.com to manage shipments

thats what i have to accomplish

i would assume that it would be outbound?

thanks

 

[dopehead]

Just put an access-list on the inside leg of the pix with something like :

access-list xxx permit tcp host <citrix server> host 199.81.196.121 eq 80
access-list xxx deny tcp host <citrix server> any eq 80
access-list xxx permit ip any any

access-group xxx in interface inside

This will enable the citrix server to browse

http://www.fedex.com

and no other site, while maintaining ip access to the rest of the services on the internet.

If you don't wan't the citrix server to access anything on the net other than

http://www.fedex.com

on port 80 you could put in
access-list xxx deny ip host <citrix> any
after the first permit statement
Just remember that if fedex.com changes their ip, you have some managment work. Maybe URL filtering via websense or some other n2h2 server would be advisable.

Jan

 

[tbissett]

One other note: Doing a nslookup on &quot;

http://www.fedex.com&quot;

resolves to eight IPs. You may want to put them all in the access-list.

 

[br0ck]

would need 8 access lists or can i specify all ip's in one access list (i have never seen it done thats why i ask)

if so could you give me an example?

tia

b-

 

[dopehead]

Well, if you mean do you have to create 8 lines in the same acl then yes. You can't have more than one acl on each interface, so creating 8 acl's that wouldn't be of any use.

Jan