Solved

Blocking specified websites through Cisco IOS on ADSL router

Posted on 2007-12-05
4
2,715 Views
Last Modified: 2008-02-01
Hi,

One of our clients has the problem of it's staff spending a lot of time on MySpace, Facebook etc.

They don't have any content filtering, pretty much an open gateway to the net through a Cisco 857 ADSL Router.

I've done a fair bit of research trying to get the router to block traffic to those particular sites.

I began trying to block the sites by name, but for whatever reason, I can't resolve external host names, even though I have DNS servers listed - it doesn't seem to query the DNS servers.

That's fine though... in the short term, I just want to block these sites any way I can.

I'm no ACL expert, but I tried the below:

=================
interface Dialer0
 ...
 ip access-group block-web out
 ...

ip access-list extended block-web
 remark Block specified websites
 remark SDM_ACL Category=1
 permit tcp any any
 deny   tcp any eq www 216.178.38.0 0.0.0.255 eq www
=================

The 216.178.38.0 network is the one the MySpace servers appear to be on.

When I apply this though, ALL web access blocked. I've tried swapping the permit & deny lines around too with no joy. There is no other ACL on outbound traffic.

Any ideas on what I'm doing wrong?

Ultimately, the DNS approach would be best, but for whatever reason, that doesn't seem to be happening...

Thanks in advance!
0
Comment
Question by:slamit
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20417070
Try making the access list look like the following:

ip access-list extended block-web
 remark Block specified websites
 remark SDM_ACL Category=1
 deny   tcp any 216.178.38.0 0.0.0.255 eq www
 permit ip any any

See if that helps...
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20417074
BTW, you won't be able to use the DNS method on a router because the router cannot reference an FQDN as part of an access list statement...it's a bummer, I know, because I would love to be able to do this and have tried myself.
0
 

Author Comment

by:slamit
ID: 20417092
Awesome, thanks so much!! :)
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20417135
You're welcome!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now