URL Filtering w/ PIX 506

Similar Messages

• PIX 506 - Limited Throughput ?

  Hi
  I recently found a use for an old PIX 506 that I found in our store cupboard.
  After doing a 'show ver' I noticed that although the number of internal hosts was unrestricted, the throughout is 'limited'. The outside ethernet is registering as 10/half.
  Can anyone please tell me what the limitation is ? Is it just the difference between 10 and 100 Mbps ?
  Rgrds

  Hi,
  Concerning the last post by Vibhor which appears to be incorrect as I have a PIX 506e here which is limited to 10Mb Full
  as the below show ver indicates.
  Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
  Flash E28F640J3 @ 0x300, 8MB
  BIOS Flash AM29F400B @ 0xfffd8000, 32KB
  0: ethernet0: address is 0009.7c48.c0db, irq 10
  1: ethernet1: address is 0009.7c48.c0dc, irq 11
  Licensed Features:
  Failover:           Disabled
  VPN-DES:            Enabled
  VPN-3DES:           Enabled
  Maximum Interfaces: 2
  Cut-through Proxy:  Enabled
  Guards:             Enabled
  URL-filtering:      Enabled
  Inside Hosts:       Unlimited
  Throughput:         Limited
  IKE peers:          Unlimited
  Is this a licensing limitation?
  Thanks
  DGW

• PIX515 URL filtering doen't work

  Dear collegues,
  I have one outside interface with global IP address 1.1.1.1 and two inside.
  Both inside interfaces restrict and non_restrict have private IP addresses.
  I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.
  I can access prohibited URL from restrict interface.
  Could you tell me what's wrong in my URL filtering?
  Here is my config:
  PIX Version 7.2(2)
  hostname pixfirewall
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.252
  interface Ethernet1
  nameif restrict
  security-level 50
  ip address 192.168.2.1 255.255.255.128
  interface Ethernet2
  nameif non_restrict
  security-level 100
  ip address 192.168.2.129 255.255.255.192
  passwd 2KFQnbNIdI.2KYOU encrypted
  regex domainlist1 "\.facebook\.com"
  regex domainlist2 "\.twitter\.com"
  regex domainlist3 "\.youtube\.com"
  ftp mode passive
  access-list inside_mpc extended permit tcp any any eq www
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (restrict) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  class-map type regex match-any DomainBlockList
  match regex domainlist1
  match regex domainlist2
  match regex domainlist3
  class-map inspection_default
  match default-inspection-traffic
  class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
  class-map httptraffic
  match access-list inside_mpc
  policy-map type inspect http http_inspection_policy
  parameters
    protocol-violation action drop-connection log
  class BlockDomainsClass
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  policy-map inside-policy
  class httptraffic
    inspect http http_inspection_policy
  service-policy global_policy global
  service-policy inside-policy interface restrict
  end

  Hi,
  can you try inspecting http.
  Regards.
  Alain

• Web Filtering / URL Filtering

  Dear All,
  I am looking forward to buy the cisco ASA Firewall with the below mentioned part number.
  ASA5525-SSD120-K9 kindly please let me know whether it supports WEB Filtering / URL Filtering.
  or do i need to go for any other model or license.
  Awaiting your quick responses as it is very urgent.
  Responses are highly appreciated..

  That's the hardware
  You also need a software subscription for the URL/web stuff/IPS
  Near the bottom of this page:  http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701659.html
  there is a chart with the options and part numbers.

• Websense URL Filtering is not working in transparent proxy mode

  The "sh ip wccp web-cach detail" show that the redirection to CE cluster (5 of them)is working but the url filtering doesnt work at all. The Websense server is on the same VLAN as all the 5 CE. This thing happened when we reconfigured the wccp router list in all the 5 CE point to the msfc vlan ip from the loopback ip address of the msfc. But the strange thing is the filtering work well when we manually configured the proxy server in the internet explorer point to the CE. Any advise?
  Thanks.
  William

  Problem is due to absense of Host header field . Most of the browsers will send host header field. But in HTTP/1.0 Host header is not a must , though most of the browsers send it.

• Trend Micro Interscan URL Filtering policies not working

  I have just inherited a ASA 5520 with a TrendMicro InterScan for CSC SSM (version 6.6.1125.0) with both Base and Plus licenses. We have several URL filtering policies setup with AD group checking via the Domain Controller Agents. These rules are currently in the order of most strict (only a couple of explicitly identified users and one IP address), then two different policies that block less content than the global list (each assigned to LDAP list based on AD group membership), then our global URL Filtering policy.
  The most common problem I have is when I try to open a site for one of the LDAP groups the site does not become accessible until I also add it to the HTTP Exceptions list on the Global Policy thus opening it for all users.
  Any suggestions?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:Arial;
  mso-bidi-theme-font:minor-bidi;}
  Thanks,
  Right now I removed tick form Leisure Time. But everything is open which I blocked.
  But I wanna blocking 24hrs but During 7 to 8 I wanna leisure time.
  If I tick marked all categories for both Work and Leisure then all things blocked
  If I removed tick from Leisure column then everything open…
  Kindly View attached Screen Shot

• ProtectLink Web Protect URL Filtering not working

  Good day!
  Please help.
  We have a problem on our RV042 router.
  The Protectlink WebProtect URL filtering is not working.
  When we first activate the service (Nov. 12), it worked for a few days, then 2 days ago, our internet connection got problems. But yesterday, our ISP fix the problems on our internet connection, but the URL filtering of WebProtect is not working anymore even if it is enable, up to this time.
  What should we do about this problem?
  Thanks in advance for your kind replies!

  i have installed TMG 2010 and created url filtering rule for facebook.com but that problem
  is ever after five minutes i can see that the users can access facebook. and then i check in TMG MMC so i can see that the Category Query says me that facebook.com is unknown....but just after five minutes i can see facebook has been automatically blocked
  and i can also see in Category Query it says me facebook is in blog/wiki category...
  so why it is changing automatically every after 5 or 10 minutes :( ?
  where is the problem ???
  i need your help please !!

• ZBF URL filtering Issue

  Hello. I have the following problem. I try to implement the url filtering feature on a cisco 2811 router and whenever i enable the parameter map patterns the router retuns (after some time)
  %Unable to compile obj regex...
  My config is
  parameter-map type urlfpolicy local URLFILTER
  alert off
  block-page message "THE REQUEST WAS BLOCKED BY YOUR ROUTER FIREWALL"
  parameter-map type urlf-glob ALLOW-URL
  pattern *.cisco.com
  pattern cisco.com
  parameter-map type urlf-glob DENY-URL
  pattern *
  class-map type urlfilter match-any ALLOW-URL
  match  server-domain urlf-glob ALLOW-URL
  class-map type urlfilter match-any DENY-URL
  match  server-domain urlf-glob DENY-URL
  class-map type inspect match-all INSPECT-HTTP
  match protocol http
  policy-map type inspect urlfilter URL-FILTER
  parameter type urlfpolicy local URLFILTER
  class type urlfilter ALLOW-URL
    allow  
  class type urlfilter DENY-URL
    reset  
    log
  policy-map type inspect IN-OUT
  class type inspect VPN-TRAFFIC
    inspect
  class type inspect INSPECT-HTTP
    inspect
    service-policy urlfilter URL-FILTER
  class type inspect INTERNET-TRAFFIC
    inspect
  class class-default
    drop
  The result is that the router blocks ALL webpages without giving a block page message. Any help would be greatly appreciated.

  I have same problem. Reboot router don't help me. Firewall allow all traffic and blocked url too.

• URL filtering replacing with web usage control

  I come to know the URL filtering in ironport is replacing with the advanced web usage control. May i know from which version its introducing? Any upgradation procedure?
  What are the changes will take place after the upgradation & what kind of functionality will be available with Web Usage Control.
  Please clarify in detail.
  Thanks in advance
  Siva

  I don't remember when the web Usage controls was introduced... I'm going to guess 7.0?
  To upgrade your box to the the current version, click on System Administration>System Upgrade.  Click on the Available Upgrades and see what's available for your hardware.  If nothing is there, contact your reseller.
  Review the release notes for the version you want to upgrade to.  http://www.cisco.com/en/US/products/ps10164/prod_release_notes_list.html
  Select the version you want, check the box to save the config, you can also have it email you the config.  Make sure to uncheck the "Mask passwords..." so that if you have to reload this config on something, it works properly.
  There are a huge number of changes in how web usage control works, and the visibility it gives you into what apps users are using and how those applications work.  Far to many to go into here.  Look at this document:
  Chapter 18. http://www.cisco.com/en/US/docs/security/wsa/wsa7.5/user_guide/WSA_7.5.0_UserGuide.pdfhttp://www.cisco.com/en/US/docs/security/wsa/wsa7.1/user_guide/Cisco_IronPort_AsyncOS_7.1.0_User_Guide_for_Web_Security_Appliances.pdf

• IOS URL filtering - CPU spike

  Hi All,
  whenever I setup URL filtering in 1841 router with policy-map type http and zone-pair command, I experience 100% CPU spike. is there any workaround?
  thanks for any suggestion
  Alex

  Deep packet inspection for URL filtering is pretty much CPU intensive, I am afraid that without HW upgrade, there is nothing you can do about that.
  Do you monitor CPU utilization with correlation to traffic load on device?
  Best Regards
  Please rate all helpful posts and close solved questions

• Url filtering Route policy Firewall ?

  Hello,
  I'd like to know if it's possible to make a route policy (based on an identity matched by url white list) that redirect http trafic to a firewall (Juniper SSG550M).
  The objectif is to separate traffic depending on url request as professionnal and non professionnal traffic, but Juniper can't be used as Upstream Proxy because it can't be use as a proxy. So, is it possible to create 2 "Direct connection" routing policies and specify 2 différents gateway ?
  Or, if you have any other idea to separate traffic depending on url, I take it !
  Regards,
  Romain.

  Hi Stella
  AFAIK you can do URL filtering provided that you have a websense server installed at your site.
  do refer this link for more info on the same..
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008d1f7.html
  regds

• URL filtering on ESA

  So I've started to test the URL filtering capabilities on our C670s.  So far I have found that there are quite a few false positives or incorrectly categorized web sites.   Is there any mechanism in place to request a reclassification of a website?
  Jason

  Hi Robert,
  Cisco Ironport is not having any phishing category.
  https://securityhub.cisco.com/web/submit_urls
  Using the above link, how we can report phishing URL.
  many emails with phishing url.
  FYI
  Check the boxes and then assign a category:
  Check
  URL
  Category
  www.mirror.co.uk/news/uk-news/lottery-winner-give-away-26million-3967400
  News
  ithelpdeskservice.wix.com/service
  Computers and Internet
  mail.a4.3space.info
  Computers and Internet
  www.arabyonline.com
  News
  box1box1.wix.com
  Computers and Internet
  mypartners.netotrade.com
  Business and Industry
  --Sajid--

• Basic URL filtering

  Hi,
  I need to buy a firewall with some basic URL filtering. I only need to deny access to some URL and not using a service like Websense or something like that.
  I would like to do this with an ISR, like 2800 family, because I don't need anti-x features but only basic firewalling, VPN, and Voice features.
  The other option is to use ASA 5520, but I would like to make the simple URL filtering without the need to use CSC module.
  Is there any way to to this?
  Mario.

  There is no need to go for an ASA. A 2800 isr will do.
  Refer the following url's for more details,
  http://cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
  http://cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml

• PIX 506 (6.3) configuration query

  So just some background, I inherited a PIX 506 with 6.3.  I will admit my background is more towards switching/routing.  But while I know it is dinosaur, I need to maintain for partner interoperability.  I just want to confirm that what I am thinking is correct and inf not how I can correct it.
  My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?? 
  The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
  All responses are appreciated.
  Here is a snippet of the current config:
  object-group network Ext_Net
    network-object 192.168.0.0 255.255.255.255
  object-group network Int_Net
    network-object 10.0.0.0 255.255.240.0
  object-group network DNS
    network-object 192.168.0.254 255.255.255.255
    network-object 192.168.0.253 255.255.255.255
  object-group network Servers
    network-object 192.168.0.25 255.255.255.255
    network-object 192.168.0.62 255.255.255.255
    network-object 192.168.0.87 255.255.255.255
  object-group network Int_Net_ref
    network-object 192.168.0.0 255.255.255.255
  object-group service Ports tcp
    port-object range 3995 3995
    port-object range telnet telnet
    port-object range 8010 8010
    port-object range 8080 8080
    port-object eq pop3
    port-object eq imap4
    port-object eq smtp
    port-object eq 433
    port-object eq www
    port-object eq https
    port-object eq ssh
    port-object range https https
    port-object eq 9100
    port-object eq lpd
    port-object eq 584
    port-object eq 585
    port-object range 500 700 
  access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
  access-list inside_access_in permit udp object-group Int_Net object-group DNS
  access-list inside_access_in permit tcp object-group Int_Net object-group Servers
  access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
  access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
  access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
  pdm location 192.168.0.254 255.255.255.255 outside
  pdm location 192.168.0.253 255.255.255.255 outside
  pdm location
  pdm group Ext_Net 255.255.255.255 outside
  pdm group Int_Net 255.255.255.255 inside
  nat (inside) 2 Int_Net 255.255.240.0 0 0
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed.  Not the best thing to do. 
  The access-group command applies the ACL to the interface in either the in or out direction.  These two commands in your config apply the ACL's to the ingress direction on the PIX:
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  So traffic coming ingress to the outside interface will have the outside_access_in applied to it.

• URL filtering ACE after description of SSL traffic

  We currently have a Cisco CSS11501 which we have configured with SSL offloading.
  We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
  Can the Ace 4710 Appliance do the same?
  I have attached the current configuration of the css.
  Regards,
  Richard

  With the below config
  Traffic matching 10.10.10.10:443 will be SSL offloaded and then
  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
  the request includes "/matchthis".
  ssl-proxy service APP1-SSL-PROXY
  key default-key.pem
  cert default-cert.pem
  class-map match-all APP1-443-VIP
  2 match virtual-address 10.10.10.10 tcp eq https
  class-map type http loadbalance match-any APP1-URLMAP
  2 match http url /matchthis.*
  policy-map type loadbalance first-match APP1-Policy
  class APP1-URLMAP
  serverfarm APP1-SFARM
  policy-map multi-match VIPS-VLAN79
  class APP1-443-VIP
  loadbalance vip inservice
  loadbalance vip icmp-reply active
  loadbalance policy APP1-Policy
  ssl-proxy server APP1-SSL-PROXY
  HTH
  Syed iftekhar Ahmed