PIX 501 to Block Websites

Discussion in 'Cisco' started by sclouie27, Jun 16, 2007.

  1. sclouie27

    sclouie27 Guest

    Hi,
    new here so please be kind if i am not doing this right the first time.
    we have a Pix501 and I need to figure out (if it is even possible) to setup
    the PIX to block certain website. If so, how is that done?
    The PIX firewall version 6.1(2)
    The PIX device manager version 1.1(2)

    Thank,
    Steve
     
    sclouie27, Jun 16, 2007
    #1
    1. Advertising

  2. In article <73c2c942dd3a2@uwe>, sclouie27 <u35104@uwe> wrote:
    >new here so please be kind if i am not doing this right the first time.
    >we have a Pix501 and I need to figure out (if it is even possible) to setup
    >the PIX to block certain website. If so, how is that done?
    >The PIX firewall version 6.1(2)
    >The PIX device manager version 1.1(2)


    With that software version, the only way to do it would be to
    add an (expensive) Websense server. Somwehre around 6.3 they
    added the ability to use N2H2 servers as an alternate -- still
    commercial, though.

    This is presuming that you wish to block by site -name-, not
    by IP address. You can block by IP address without difficulty,
    but it does require that you keep up with IP changes to do much good.

    A generally more productive way to filter by site -name- is
    to install an internal squid server, and block outgoing web
    access except from the squid server, and then set everyone up
    to use the squid server as their proxy. A couple of people recently
    mentioned SafeSquid as being suitable for this purpose; I've
    never looked at that myself.



    If you are the original owners of that 501, you should get it
    upgraded to the last 6.1(*) version to fix a bunch of security
    problems. The upgrade would be free. You were supposed to ask for
    the upgrade from your VAR; if your VAR isn't still around or
    is one of those no-frill VARs, you would ask for the upgrade from
    Cisco. You would search Cisco's web site for PIX Security Advisories,
    look through the older ones, find one that authorized the upgrade,
    and call up Cisco and cite the document ID, and Cisco would make the
    upgrade available even if you had no support contract at all. But
    I don't know if Cisco still has copies of 6.1(*) available for download;
    you might be too late to get your upgrade from Cisco. [But if you
    are the original owner and you -somehow- managed to get a hold of
    the 6.1(*) upgrade then there wouldn't be any problem: you would
    be entitled to it in that case, even if it didn't arrive straight
    from Cisco.]

    If you aren't the original owners of that 501... Sorry, no security
    upgrade entitlement in that case.

    Note: the security upgrade won't improve your ability to filter
    web sites.
     
    Walter Roberson, Jun 16, 2007
    #2
    1. Advertising

  3. sclouie27

    Guest

    (Walter Roberson) wrote in message-id: <5RJci.30122$NV3.26445@pd7urf2no>

    >
    >In article <73c2c942dd3a2@uwe>, sclouie27 <u35104@uwe> wrote:
    >>new here so please be kind if i am not doing this right the first time.
    >>we have a Pix501 and I need to figure out (if it is even possible) to setup
    >>the PIX to block certain website. If so, how is that done?
    >>The PIX firewall version 6.1(2)
    >>The PIX device manager version 1.1(2)

    >
    >With that software version, the only way to do it would be to
    >add an (expensive) Websense server. Somwehre around 6.3 they
    >added the ability to use N2H2 servers as an alternate -- still
    >commercial, though.
    >
    >This is presuming that you wish to block by site -name-, not
    >by IP address. You can block by IP address without difficulty,
    >but it does require that you keep up with IP changes to do much good.
    >
    >A generally more productive way to filter by site -name- is
    >to install an internal squid server, and block outgoing web
    >access except from the squid server, and then set everyone up
    >to use the squid server as their proxy. A couple of people recently
    >mentioned SafeSquid as being suitable for this purpose; I've
    >never looked at that myself.
    >
    >
    >
    >If you are the original owners of that 501, you should get it
    >upgraded to the last 6.1(*) version to fix a bunch of security
    >problems. The upgrade would be free. You were supposed to ask for
    >the upgrade from your VAR; if your VAR isn't still around or
    >is one of those no-frill VARs, you would ask for the upgrade from
    >Cisco. You would search Cisco's web site for PIX Security Advisories,
    >look through the older ones, find one that authorized the upgrade,
    >and call up Cisco and cite the document ID, and Cisco would make the
    >upgrade available even if you had no support contract at all. But
    >I don't know if Cisco still has copies of 6.1(*) available for download;
    >you might be too late to get your upgrade from Cisco. [But if you
    >are the original owner and you -somehow- managed to get a hold of
    >the 6.1(*) upgrade then there wouldn't be any problem: you would
    >be entitled to it in that case, even if it didn't arrive straight
    >from Cisco.]
    >
    >If you aren't the original owners of that 501... Sorry, no security
    >upgrade entitlement in that case.
    >
    >Note: the security upgrade won't improve your ability to filter
    >web sites.


    Or you can make a static entry for that website on your internal DNS.
     
    , Jun 16, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Hodgson

    PIX 501 with multiple websites on DMZ

    David Hodgson, Feb 23, 2004, in forum: Cisco
    Replies:
    4
    Views:
    667
  2. Mark Simons
    Replies:
    1
    Views:
    2,590
    Walter Roberson
    Jan 27, 2005
  3. Andre
    Replies:
    7
    Views:
    807
    Andre
    Feb 20, 2005
  4. jawdoc
    Replies:
    3
    Views:
    719
    jawdoc
    Mar 7, 2007
  5. Bill56
    Replies:
    0
    Views:
    1,391
    Bill56
    Mar 26, 2012
Loading...

Share This Page