This probably very simple. This was setup before I arrived, and has been working to block facebook. I recently eliminated some static port forwarding on this 2691 (as in, I don't think anything else has changed), and now facebook is once again accessible.
Why is this list not doing what it seems like it should be doing (and was doing)? Would an extended outbound ACL be more appropriate (I think that would have been my thought if I had been tasked with creating this in the first place)? Something different?
I've included below what I believe are the relevant parts of the config.
interface FastEthernet0/0
ip address my.pub.ip.add my.ip.add.msk
ip access-group 1 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
access-list 1 deny 69.171.224.0 0.0.31.255
access-list 1 deny 74.119.76.0 0.0.3.255
access-list 1 deny 204.15.20.0 0.0.3.255
access-list 1 deny 66.220.144.0 0.0.15.255
access-list 1 deny 69.63.176.0 0.0.15.255
access-list 1 permit any
ip nat inside source list 105 interface FastEthernet0/0 overload
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
EDIT
ACL is once again blocking Facebook. Here is the new definition for those interested…
access-list 1 deny 66.220.144.0 0.0.7.255
access-list 1 deny 66.220.152.0 0.0.7.255
access-list 1 deny 69.63.176.0 0.0.7.255
access-list 1 deny 69.63.176.0 0.0.0.255
access-list 1 deny 69.63.184.0 0.0.7.255
access-list 1 deny 69.171.224.0 0.0.15.255
access-list 1 deny 69.171.239.0 0.0.0.255
access-list 1 deny 69.171.240.0 0.0.15.255
access-list 1 deny 69.171.255.0 0.0.0.255
access-list 1 deny 74.119.76.0 0.0.3.255
access-list 1 deny 173.252.64.0 0.0.31.255
access-list 1 deny 173.252.70.0 0.0.0.255
access-list 1 deny 173.252.96.0 0.0.31.255
access-list 1 deny 204.15.20.0 0.0.3.255
access-list 1 permit any
Best Answer
Facebook is operating their own network, hence announcing their address ranges to other networks (i.e. internet) with BGP.
Using a public BGP looking glass or a direct bgp feed to your router, it's possible to know what are those ranges by looking at the routes that have AS32934 (Facebook Autonomous system number) in the path.
While this can be very convenient (null-routing all AS32934 prefixes), not everyone has BGP knowledge and one can just look at the prefixes announced by Facebook on HurricaneElectric's website. However, this list should be manually updated as Facebook can add new prefixes.
Using this list, it's really easy to block Facebook using a simple access-list on the router.
As Facebook is now using ipv6 as well, you should also add an ipv6 access-list on the FastEthernet0/0 interface with the few network announced if your network is ipv6-enabled.
Beware though, if Facebook uses a CDN like Akamai, the addresses of the servers (reverse proxies/caches) might be in the CDN's ip address ranges, not in Facebook's.