I want to block an outside IP-address and some sites on PIX 515E

Hi,

1. Please check whether the Tunnel Phase 1 and Phase 2 are Up.If Not Proceed Next, if Yes Proceed to point 4
2. Please check the peer IP is reachable
3. Please check the configuration and the encapsulation method used
4. Check whether in the Match Address whether the IP has been Allowed If Yes Proceed Next
5. The Branch PIX will be in the Outside interface of the Main PIX, security Level will be enabled so do NAT. If Yes Proceed next
6. If unable to ping enable the Inspect ICMP in the global policy to enable ping If Yes
7. If all The above are done. please check the routes between the 2 remote computer.

Please check all the above point, surely your problems will be solved

The PIX is a layer 3 device, I cant say that I have ever tried to filter a mac address. I'm pretty sure you cant

You have to create a route statement to allow workstations to get online.

Below is the command:
route interface_name ip_address netmask gateway_ip

Example:
route outside 0.0.0.0 0.0.0.0 200.200.200.1
or
route outside 0 0 200.200.200.1

When there is already a route statement but still cannot get online, check the DNS settings.

you can only block orkut sites that you know by IP but the Pix alone cannot do it since it requires an application like websense to do URL filtering. If you have the IPs and need help creating the ACLs, feel free to let me know

please check after disabling javascript/activex filtering on your firewall only for this site.
If you could post me the configuration then it would be really good.

Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Dear Kiran,

What is the name assigned for isp 1 as well as isp2.

for your reference kindly find the sample configuration......
ISP 1:
interface ethernet 0 100 full
nameif outside security-lvl 0
ip address outside 203.193.129.132 255.255.255.240.
nat (inisde) 1 (local network)
global (outside) 1 203.193.129.133
route outside 0 0 203.193.129.129.1.

regards,
mani.S

try www.opendns.org
set up in 5 minutes, need some knowledge in dns.

You have to register and validate a link from the internet IP you want to filter.
This ip may be dynamically assigned.

Commercial : websense

Hello,

The pix does not allow you to block urls except if you use it in conjunction with websense for example. You could however deny all outgoing traffic to port 80 except for the ip address of the websites you want to be able to access.

To do that you would setup an access-list allowing you internal network to access certain ips on port 80 and deny all other traffic outgoing.

Let me know if you need more information on how to accomplish this.

Basic Commands pixfirewall(config)#hostname PIX !--- Naming the PIX is optional. PIX(config)#nameif ethernet2 fo security20 !--- Naming the interface is optional. It is recommended that you !--- hardcode the speed/duplex. PIX(config)#interface ethernet2 100full !--- Bring up the interface. PIX(config)#ip address fo 192.168.1.1 255.255.255.0 !--- Assign an IP address. Failover Commands PIX(config)#failover ip address fo 192.168.1.2 !--- IP address for the failover link. PIX(config)#failover lan unit primary !--- This unit is primary . PIX(config)#failover lan interface fo !--- The 'fo' interface is used for LAN failover. PIX(config)#failover lan key cisco !--- The Pre-shared key. PIX(config)#failover lan enable !--- Enables failover. PIX(config)#failover !--- Start the failover process. This message appears on the console:
LAN-based Failover: trying to contact peer LAN-based Failover: Send hello msg and start failover monitoring