PIX 501 to Block Websites

Discussion in 'Cisco' started by sclouie27, Jun 16, 2007.

  1. sclouie27

    sclouie27 Guest

    new here so please be kind if i am not doing this right the first time.
    we have a Pix501 and I need to figure out (if it is even possible) to setup
    the PIX to block certain website. If so, how is that done?
    The PIX firewall version 6.1(2)
    The PIX device manager version 1.1(2)

    sclouie27, Jun 16, 2007
    1. Advertisements

  2. With that software version, the only way to do it would be to
    add an (expensive) Websense server. Somwehre around 6.3 they
    added the ability to use N2H2 servers as an alternate -- still
    commercial, though.

    This is presuming that you wish to block by site -name-, not
    by IP address. You can block by IP address without difficulty,
    but it does require that you keep up with IP changes to do much good.

    A generally more productive way to filter by site -name- is
    to install an internal squid server, and block outgoing web
    access except from the squid server, and then set everyone up
    to use the squid server as their proxy. A couple of people recently
    mentioned SafeSquid as being suitable for this purpose; I've
    never looked at that myself.

    If you are the original owners of that 501, you should get it
    upgraded to the last 6.1(*) version to fix a bunch of security
    problems. The upgrade would be free. You were supposed to ask for
    the upgrade from your VAR; if your VAR isn't still around or
    is one of those no-frill VARs, you would ask for the upgrade from
    Cisco. You would search Cisco's web site for PIX Security Advisories,
    look through the older ones, find one that authorized the upgrade,
    and call up Cisco and cite the document ID, and Cisco would make the
    upgrade available even if you had no support contract at all. But
    I don't know if Cisco still has copies of 6.1(*) available for download;
    you might be too late to get your upgrade from Cisco. [But if you
    are the original owner and you -somehow- managed to get a hold of
    the 6.1(*) upgrade then there wouldn't be any problem: you would
    be entitled to it in that case, even if it didn't arrive straight
    from Cisco.]

    If you aren't the original owners of that 501... Sorry, no security
    upgrade entitlement in that case.

    Note: the security upgrade won't improve your ability to filter
    web sites.
    Walter Roberson, Jun 16, 2007
    1. Advertisements

  3. sclouie27

    QoS Guest

    Or you can make a static entry for that website on your internal DNS.
    QoS, Jun 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.