Techrunner
asked on
Allow only certain websites from Cisco Router
Hello EE,
Please help me to configure the router. I have subnet 10.1.1.0/24 point to router as gateway to internet. I want to allow only specific websites through the Router and deny all rest traffic. I have Cisco 2921.
I would highly appreciate any suggestion.
Thanks
Please help me to configure the router. I have subnet 10.1.1.0/24 point to router as gateway to internet. I want to allow only specific websites through the Router and deny all rest traffic. I have Cisco 2921.
I would highly appreciate any suggestion.
Thanks
ASKER
Hi,
Thanks for your response.
This what I have done and its working
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.8.1
Note: Those are fictitious IP addresses
ip nat inside source list 100 interface gi0/0 overload
ip route 0.0.0.0 0.0.0.0 gi0/0
Thanks for your response.
This what I have done and its working
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.8.1
Note: Those are fictitious IP addresses
ip nat inside source list 100 interface gi0/0 overload
ip route 0.0.0.0 0.0.0.0 gi0/0
The syntax of the ACL does not look right. Since your destination is a single IP as opposed to a subnet, then you need to the "host" keyword to indicate that you are referring to a single IP address, e.g.
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.8.1
!
If you are 100% certain that the destination IP addresses are for websites only, then you can also configure your ACL to be specific to web traffic using the 3 ports I used above, e.g.
!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq ftp
!
You will need to repeat this for each web site.
Now that I see you using NAT, I suspect there will be other problems. But before I talk about those, can you tell me if there is a firewall device on the customer side.
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.8.1
!
If you are 100% certain that the destination IP addresses are for websites only, then you can also configure your ACL to be specific to web traffic using the 3 ports I used above, e.g.
!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq ftp
!
You will need to repeat this for each web site.
Now that I see you using NAT, I suspect there will be other problems. But before I talk about those, can you tell me if there is a firewall device on the customer side.
ASKER
Thanks.
At my side, I dont have firewall ? What could be the NAT problems
What issues could be used my ACL syntax. Actually I don't have requirement to open specific ports. I can just allow IP.
At my side, I dont have firewall ? What could be the NAT problems
What issues could be used my ACL syntax. Actually I don't have requirement to open specific ports. I can just allow IP.
Since you don't have firewall, you MAY need a security model on the router that comprises of:
(1) Embedded Cisco IOS firewall, i.e. "IP inspect" - goes on the LAN port inbound
(2) Infrastructure ACL like ACL 110 as indicated above - this sits on the WAN port inbound
(3) LAN side ACL - this sits on the LAN port inbound.
The idea is that, all networks from the customer LAN that hit the gateway router, must be vetted. The "IP inspect" firewall rule is that, if traffic is permitted from those networks coming from the customer LAN, return traffic must also be allowed to reach them from the Internet.
The Cisco IOS embedded firewall "IP inspect" will provide a stateful inspection of the traffic through the customer LAN port. The Cisco stateful embedded IOS firewall configuration looks like this:
The LAN ACL will look like this:
The WAN ACL 110:
NAT config
Putting everything together:
LAN port:
WAN port:
The directions of your access lists and firewall, depend on what you are trying to achieve. The reference material below, cover some scenarios that you may want to take a look at.
http://www.cisco.com/en/US /prod/coll ateral/vpn devc/ps570 8/ps5710/p s1018/prod uct_implem entation_d esign_guid e09186a008 00fd670.ht ml
http://www.cisco.com/en/US /products/ sw/secursw /ps1018/pr oducts_tec h_note0918 6a00800a5b 9a.shtml
(1) Embedded Cisco IOS firewall, i.e. "IP inspect" - goes on the LAN port inbound
(2) Infrastructure ACL like ACL 110 as indicated above - this sits on the WAN port inbound
(3) LAN side ACL - this sits on the LAN port inbound.
The idea is that, all networks from the customer LAN that hit the gateway router, must be vetted. The "IP inspect" firewall rule is that, if traffic is permitted from those networks coming from the customer LAN, return traffic must also be allowed to reach them from the Internet.
The Cisco IOS embedded firewall "IP inspect" will provide a stateful inspection of the traffic through the customer LAN port. The Cisco stateful embedded IOS firewall configuration looks like this:
!
ip inspect name MyFirewall ftp timeout 3600
ip inspect name MyFirewall rcmd timeout 3600
ip inspect name MyFirewall tftp timeout 3600
ip inspect name MyFirewall udp timeout 600
ip inspect name MyFirewall tcp timeout 300
ip inspect name MyFirewall http java-list 11 timeout 3600
!
access-list 11 permit any
!
The LAN ACL will look like this:
!
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 deny ip any any
!
The WAN ACL 110:
!
access-list 110 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.2.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.3.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.4.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.5.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.6.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.7.1 10.1.1.0 0.0.0.255
access-list 110 permit ip host 1.1.8.1 10.1.1.0 0.0.0.255
access-list 110 deny ip any any
!
NAT config
!
!
ip nat translation udp-timeout 600
!
access-list 5 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 5 interface <WAN-interface> overload
!
Putting everything together:
LAN port:
!
interface <LAN-port>
description Customer Lan
ip address x.x.x.x 255.255.255.0
[b]ip access-group 120 in[/b]
[b] ip inspect MyFirewall [/b]
[b] ip nat inside[/b]
!
WAN port:
!
interface <WAN-port>
ip add x.x.x.x x.x.x.x
[b] ip access-group 110 in[/b]
[b] ip nat outside[/b]
!
The directions of your access lists and firewall, depend on what you are trying to achieve. The reference material below, cover some scenarios that you may want to take a look at.
http://www.cisco.com/en/US
http://www.cisco.com/en/US
ASKER
Hi.
Also I want to allow the clients to access URLs including the IP addresses
*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.co m
*.ws.symantec.com
I want to know how I can allow specific URL's on router for the subnet 10.1.1.0/24
Thanks
Also I want to allow the clients to access URLs including the IP addresses
*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.co
*.ws.symantec.com
I want to know how I can allow specific URL's on router for the subnet 10.1.1.0/24
Thanks
It is possible to use URL on your access list. The way it is implemented on routers, is that you will have to define a domain name on the router. The document below provides some some instructions.
http://www.techrepublic.co m/article/ block-acce ss-to-a-we b-site-usi ng-the-cis co-ios/
http://www.techrepublic.co
ASKER
Hi koudry,
The problem is that website keeps on changing the IP address. I have been advised by verisign to open the following domain instead of IP addresses.
*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.co m
*.ws.symantec.com
Is there any to overcome this ?
Thanks
The problem is that website keeps on changing the IP address. I have been advised by verisign to open the following domain instead of IP addresses.
*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.co
*.ws.symantec.com
Is there any to overcome this ?
Thanks
ASKER
Please any help
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks for the help. That's what exactly I need.
But need to clarify something, its not accepting wildcard entries
For example I wont allow urls
url1.domain.com
url2.domain.com
url2.domain.com
I have tried its not working *.domain.com
Thanks for the help. That's what exactly I need.
But need to clarify something, its not accepting wildcard entries
For example I wont allow urls
url1.domain.com
url2.domain.com
url2.domain.com
I have tried its not working *.domain.com
You may be using an older IOS that doesn't handle the wildcards properly. I tested it on 15.1(4)M7 and it's working correctly. What version are you using?
ASKER
Hi
c2900-universalk9-mz.SPA.1 52-4.M3.bi n"
c2900-universalk9-mz.SPA.1
ASKER
Also how about router 3725, wildcard entries will work ??
Should work on that IOS. Not sure about the 3725 as it caps out at 12.4(15)T. Will have a look when I get into the office.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Friend,
Thank You Thank You Thank You So Much.....Really I want to say thank you from the bottom of my heart.
You were really helpful.
Just a friendly question, If I need to ask any question related to cisco networks how can I grasp your attention on EE.
Thank you once again.
Samir
Thank You Thank You Thank You So Much.....Really I want to say thank you from the bottom of my heart.
You were really helpful.
Just a friendly question, If I need to ask any question related to cisco networks how can I grasp your attention on EE.
Thank you once again.
Samir
I don't know if EE really has a mechanism for flagging a specific expert, but I don't think they do. I try to keep an eye on Cisco-related topics, so it's likely that I'll spot you anyway. :)
Just for the record, the urlfilter functionality was added in 12.2S, so the 3725 shouldn't have any trouble at all.
Just for the record, the urlfilter functionality was added in 12.2S, so the 3725 shouldn't have any trouble at all.
ASKER
Can I give you personal email so I can send you Experts-exchange linke whenver I open a question.
Thanks
Thanks
I believe that's against EE's policies, so I don't advise it.
http://support.experts-exchange.com/customer/portal/articles/755976-can-i-post-my-email-address-in-a-question-?b_id=44
I'm a network specialist by trade and I don't always have time to get onto EE, so it's best if you field the question to everyone anyway.
Also, just because I had the answer to this one doesn't mean that I'll have anything for your next question. That's the real power of a community like this one: You get multiple perspectives from different people who know the technology. Then it's just a matter of picking the best solution.
http://support.experts-exchange.com/customer/portal/articles/755976-can-i-post-my-email-address-in-a-question-?b_id=44
I'm a network specialist by trade and I don't always have time to get onto EE, so it's best if you field the question to everyone anyway.
Also, just because I had the answer to this one doesn't mean that I'll have anything for your next question. That's the real power of a community like this one: You get multiple perspectives from different people who know the technology. Then it's just a matter of picking the best solution.
ASKER
Thanks
ASKER
Hi,
Just forgot to ask 1 thing
What if I want to give full internet access with no restrictions to some clients ? How I can put them in exception from the above defined url filtering.
Thanks
Just forgot to ask 1 thing
What if I want to give full internet access with no restrictions to some clients ? How I can put them in exception from the above defined url filtering.
Thanks
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.
parameter-map type urlfilter pmap-urls
allow-mode off
exclusive-domain permit .verisign.com
exclusive-domain permit .thawte.com
exclusive-domain permit .geotrust.com
exclusive-domain permit .rapidssl.com
exclusive-domain permit .digitalcertvalidation.com
exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
match access-group name acl-http-restricted
match protocol http
!
class-map type inspect match-any cm-other
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect pm-inside-out
class type inspect cm-http-restricted
inspect
urlfilter pmap-urls
class cm-other
inspect
!
ip access-list extended acl-http-restricted
permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
zone-member security zone-inside
!
interface FastEthernet0/1
zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
service-policy type inspect pm-inside-out
I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.
Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.
parameter-map type urlfilter pmap-urls
allow-mode off
exclusive-domain permit .verisign.com
exclusive-domain permit .thawte.com
exclusive-domain permit .geotrust.com
exclusive-domain permit .rapidssl.com
exclusive-domain permit .digitalcertvalidation.com
exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
match access-group name acl-http-restricted
match protocol http
!
class-map type inspect match-any cm-other
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect pm-inside-out
class type inspect cm-http-restricted
inspect
urlfilter pmap-urls
class cm-other
inspect
!
ip access-list extended acl-http-restricted
permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
zone-member security zone-inside
!
interface FastEthernet0/1
zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
service-policy type inspect pm-inside-out
I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.
Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.
Open in new window
There are Cisco guides on what to put on your infrastructure ACL including preventing DoS (Denial of Service) attack:
http://www.cisco.com/en/US
http://www.cisco.com/en/US