Re: Resricicting Certain Users -Pix 515 UR [7:58861]
To all, WebSense, and N2H2 (in 6.2), are good solutions if you want to filter web CONTENT--if you have a statitic list of sites, then using an ACL will do the job. Another solution, especially if you have roaming users and their IPs are assigned via DHCP, is to use Cut-Through proxy--with this solution, the user must authenticate BEFORE you allow the connection going out. This gives you per-group control on who access what. This can be used for traffic in BOTH directions on the PIX. Cheers! -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. Brad wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59076t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Resricicting Certain Users -Pix 515 UR [7:58861]
Maybe a dumb question - but is there a certain software version for that command (object group) - haven't seen it before -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: 10 December 2002 22:15 To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Sounds good.. But websense is very expensive.. Wont lists do the job as well: e.g object-group network REST-LAN-USR network-object 10.1.x.x 255.255.255.0 object-group network Rest-SRV network-object host 64.232.56.99 network-object host 209.123.45.67 access-list RESTRICTED permit tcp object-group REST-LAN-USR object-group Rest-SRV eq www And just put those users in that subnet? Thanks Brad From: Brad Reply-To: Brad To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Date: Tue, 10 Dec 2002 15:42:54 GMT Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58970t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Resricicting Certain Users -Pix 515 UR [7:58861]
Yeah, Its starts at version 6.2. Its great, drastically reduces your config lines.. From: Andrew Larkins Reply-To: Andrew Larkins To: [EMAIL PROTECTED] Subject: RE: Resricicting Certain Users -Pix 515 UR [7:58861] Date: Wed, 11 Dec 2002 16:32:13 GMT Maybe a dumb question - but is there a certain software version for that command (object group) - haven't seen it before -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: 10 December 2002 22:15 To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Sounds good.. But websense is very expensive.. Wont lists do the job as well: e.g object-group network REST-LAN-USR network-object 10.1.x.x 255.255.255.0 object-group network Rest-SRV network-object host 64.232.56.99 network-object host 209.123.45.67 access-list RESTRICTED permit tcp object-group REST-LAN-USR object-group Rest-SRV eq www And just put those users in that subnet? Thanks Brad From: Brad Reply-To: Brad To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Date: Tue, 10 Dec 2002 15:42:54 GMT Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58992t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Resricicting Certain Users -Pix 515 UR [7:58861]
Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58865t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Resricicting Certain Users -Pix 515 UR [7:58861]
You could also use a TACACS+ server here and have authentication configured for those users for any HTTP request - all others should be allowed to access the web without authentication. This way you can track them etc and setup specific access on the TACACS+ server. Never used Websense some I have no idea - sounds good from what I have read though. Andrew -Original Message- From: Brad [mailto:[EMAIL PROTECTED]] Sent: 10 December 2002 17:43 To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58895t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Resricicting Certain Users -Pix 515 UR [7:58861]
Sounds good.. But websense is very expensive.. Wont lists do the job as well: e.g object-group network REST-LAN-USR network-object 10.1.x.x 255.255.255.0 object-group network Rest-SRV network-object host 64.232.56.99 network-object host 209.123.45.67 access-list RESTRICTED permit tcp object-group REST-LAN-USR object-group Rest-SRV eq www And just put those users in that subnet? Thanks Brad From: Brad Reply-To: Brad To: [EMAIL PROTECTED] Subject: Re: Resricicting Certain Users -Pix 515 UR [7:58861] Date: Tue, 10 Dec 2002 15:42:54 GMT Kevin, Hi! I would say the best way to do something like this would probably be using Websense (or similar software) in conjunction with your Pix. I've setup Websense before, and it's pretty easy. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58918t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Resricicting Certain Users -Pix 515 UR [7:58861]
Amen Brotha! Keep it real, as some have said in the past :) -Mark A+, CCNP, MCSE, pursuing CCSP(Cisco), AVVID, CCSE(CPFW), and eventually CCIE. -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 8:26 PM To: [EMAIL PROTECTED] Subject: Resricicting Certain Users -Pix 515 UR [7:58861] Hi All, I would like to create a group lets say x,x,x,x-x.x.x.x and restrict them to only certain websites, I am guessing I will have to use ip addresses of those sites, but still allow them to access the local network.. Whats the best way to go about this. I have been using groups in my configs thus far.. BTW- I love you guys in this group, it has to be the best news group around right now, lets keep the standards high and weed out the slackers that are trying to water down the CCIE's. We are doing more work for less money and the main reason why is because we are settling, we work damn hard and invest time and money to achieve these goals, and should be awarded as such. I dont see doctors building practice labs in there homes to cure patients, nor lawyers building practice court rooms.. Sorry for the ranting but every year it seems you have to have more and more letters after your name to earn a decent living in this technology arena, when we are the ones that are enabling these million and billion dollar companies to do business seemlessly anytime and anywhere.. -Kevin _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58866t=58861 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]