nasirsh
asked on
Help with URL Filtering
Hi there. I have applied url filtering on my cisco router 1811. When i block a website from URL Filtering it becomes disabled for all IPs. I dont want this. I want that i can allow a single IP or multiple to have access to the website which i have blocked. Is it possible. Like all the IP going through fa 0 are blocked to the website. Other Website are opening
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.orkut.com
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address XXX XXX
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect test-filter out
ASKER
This will check from the websense server and then decide whether to block or not. Right.
yes
ASKER
But its not what i am doing. I am using the router to block websites via url fitering. By default then i block a website it is blocked to all IPs. I want to exclude a single IP from that list.
ok,, here is a sample for exception ip :::
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
ASKER
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
^
% Invalid input detected at '^' marker.
This doesnt work.
^
% Invalid input detected at '^' marker.
This doesnt work.
then create an ACL to allow ro deny whatever you want as the following as a sample:
ip inspect name test-filter http java-list 10
access-list 10 permit any
ip inspect name test-filter http java-list 10
access-list 10 permit any
ASKER
Dont understand
ASKER
ip inspect name test-filter http java-list 10
access-list 10 permit any
when i do this all have access to the blocked websites.
access-list 10 permit any
when i do this all have access to the blocked websites.
you can specify what to allow for a specific rule as the sample i sent before ...
the above sample with ACL 10 permitting everything for the Java applets..
so, use the same idea for your needs ...
the above sample with ACL 10 permitting everything for the Java applets..
so, use the same idea for your needs ...
do it like this
access-list 10 permit host 192.168.1.8
access-list 10 deny any
this will allow only this IP and deny others ....
access-list 10 permit host 192.168.1.8
access-list 10 deny any
this will allow only this IP and deny others ....
ASKER
Can this be more clear to you
Building configuration...
Current configuration : 8770 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Sequel_RTR_PK
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
enable secret 5 $1$7FFr$RDX7fVudbKSALggLIN HlL/
enable password 7 040B0A021C75195E47
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name sequel4pak.com
ip name-server 203.99.163.240
ip name-server 202.59.80.17
ip name-server 202.59.80.10
ip name-server 203.99.163.243
ip inspect name test-filter appfw test-filter
ip inspect name test-filter https
ip inspect name test-filter http java-list 10 urlfilter audit-trail off
no ip ips sdf builtin
no ip ips notify log
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.cumtv.com
ip urlfilter exclusive-domain deny www.orkut.com
ip sla 1
icmp-echo 67.222.128.164 source-interface FastEthernet0
timeout 1000
threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 67.222.128.164 source-interface FastEthernet1
timeout 1000
threshold 1000
ip sla schedule 2 life forever start-time now
!
appfw policy-name test-filter
application http
strict-http action reset
port-misuse p2p action reset alarm
port-misuse tunneling action reset
port-misuse im action reset alarm
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho o.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo .com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
!
username shazad privilege 0 password 7 095F460803041343595F
username guest privilege 0 password 7 15151E09173E
username nasir privilege 0 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$KHgU$3E7P7PLh.nq57ogGrE TvK/
!
!
track 1 rtr 1 reachability
delay down 15 up 60
!
track 2 rtr 2 reachability
delay down 15 up 60
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_test-filter
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address XXXXXX 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.1.128 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
switchport access vlan 111
!
interface FastEthernet5
switchport access vlan 222
!
interface FastEthernet6
switchport access vlan 400
!
interface FastEthernet7
switchport access vlan 200
switchport mode trunk
!
interface FastEthernet8
switchport access vlan 700
switchport mode trunk
!
interface FastEthernet9
switchport access vlan 500
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan500
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map www
!
interface Vlan700
description $FW_INSIDE$
ip address 192.168.0.3 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map www
!
interface Vlan200
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan400
description $FW_INSIDE$
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan222
description VOIP
ip address 192.168.20.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map voip
!
interface Vlan111
description Nortel Router
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2XXXXX 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 XXXXX 10
ip route 0.0.0.0 0.0.0.0 192.168.10.1 20
!
ip flow-export version 5
ip flow-export destination 192.168.0.88 2055
ip flow-top-talkers
top 100
sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
ip nat inside source route-map voip interface Vlan111 overload
ip nat inside source static tcp 192.168.0.10 21 XXXXX 21 extendable
ip nat inside source static tcp 192.168.0.2 3389 XXXXX 3389 extendable
ip nat inside source static tcp 192.168.0.2 8080 2XXXX 8080 extendable
ip nat inside source static tcp 192.168.5.11 80 XXXX 80 extendable
!
ip access-list extended telnet
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
!
logging trap debugging
logging 192.168.5.55
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny ip any any
access-list 155 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.4.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.5.0 0.0.0.255 any
access-list 166 permit tcp any any eq www
access-list 166 permit tcp any any eq 3389
!
!
!
route-map voip permit 20
match ip address 155
match interface Vlan111
set ip default next-hop 192.168.10.1
!
route-map isp2 permit 10
match ip address 110
match interface FastEthernet1
!
route-map isp1 permit 10
match ip address 110
match interface FastEthernet0
!
route-map www permit 10
match ip address 160
set ip default next-hop 202.59.76.177
!
!
!
!
control-plane
!
banner login ^CWelcome to Sequel Systems Inc Router.^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
password 7 095C4F1A0A1218000F
transport input telnet ssh
transport output telnet
line vty 5 15
access-class 23 in
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Building configuration...
Current configuration : 8770 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Sequel_RTR_PK
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
enable secret 5 $1$7FFr$RDX7fVudbKSALggLIN
enable password 7 040B0A021C75195E47
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name sequel4pak.com
ip name-server 203.99.163.240
ip name-server 202.59.80.17
ip name-server 202.59.80.10
ip name-server 203.99.163.243
ip inspect name test-filter appfw test-filter
ip inspect name test-filter https
ip inspect name test-filter http java-list 10 urlfilter audit-trail off
no ip ips sdf builtin
no ip ips notify log
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.cumtv.com
ip urlfilter exclusive-domain deny www.orkut.com
ip sla 1
icmp-echo 67.222.128.164 source-interface FastEthernet0
timeout 1000
threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 67.222.128.164 source-interface FastEthernet1
timeout 1000
threshold 1000
ip sla schedule 2 life forever start-time now
!
appfw policy-name test-filter
application http
strict-http action reset
port-misuse p2p action reset alarm
port-misuse tunneling action reset
port-misuse im action reset alarm
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
!
username shazad privilege 0 password 7 095F460803041343595F
username guest privilege 0 password 7 15151E09173E
username nasir privilege 0 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$KHgU$3E7P7PLh.nq57ogGrE
!
!
track 1 rtr 1 reachability
delay down 15 up 60
!
track 2 rtr 2 reachability
delay down 15 up 60
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_test-filter
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address XXXXXX 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.1.128 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
switchport access vlan 111
!
interface FastEthernet5
switchport access vlan 222
!
interface FastEthernet6
switchport access vlan 400
!
interface FastEthernet7
switchport access vlan 200
switchport mode trunk
!
interface FastEthernet8
switchport access vlan 700
switchport mode trunk
!
interface FastEthernet9
switchport access vlan 500
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan500
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map www
!
interface Vlan700
description $FW_INSIDE$
ip address 192.168.0.3 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map www
!
interface Vlan200
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan400
description $FW_INSIDE$
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan222
description VOIP
ip address 192.168.20.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map voip
!
interface Vlan111
description Nortel Router
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip inspect test-filter out
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2XXXXX 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 XXXXX 10
ip route 0.0.0.0 0.0.0.0 192.168.10.1 20
!
ip flow-export version 5
ip flow-export destination 192.168.0.88 2055
ip flow-top-talkers
top 100
sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
ip nat inside source route-map voip interface Vlan111 overload
ip nat inside source static tcp 192.168.0.10 21 XXXXX 21 extendable
ip nat inside source static tcp 192.168.0.2 3389 XXXXX 3389 extendable
ip nat inside source static tcp 192.168.0.2 8080 2XXXX 8080 extendable
ip nat inside source static tcp 192.168.5.11 80 XXXX 80 extendable
!
ip access-list extended telnet
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
!
logging trap debugging
logging 192.168.5.55
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny ip any any
access-list 155 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.4.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.5.0 0.0.0.255 any
access-list 166 permit tcp any any eq www
access-list 166 permit tcp any any eq 3389
!
!
!
route-map voip permit 20
match ip address 155
match interface Vlan111
set ip default next-hop 192.168.10.1
!
route-map isp2 permit 10
match ip address 110
match interface FastEthernet1
!
route-map isp1 permit 10
match ip address 110
match interface FastEthernet0
!
route-map www permit 10
match ip address 160
set ip default next-hop 202.59.76.177
!
!
!
!
control-plane
!
banner login ^CWelcome to Sequel Systems Inc Router.^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
password 7 095C4F1A0A1218000F
transport input telnet ssh
transport output telnet
line vty 5 15
access-class 23 in
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
try the following,, assuming the IP you want to be allowed is 192.168.1.8..
then:
no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
then:
no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
ASKER
tried it but it didnt work. It still give all users access to all websites
ASKER
ok let me check
ASKER
Nope. No success
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried this thing but it gives access to all the IP instead of only one.
no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
Yeah, the java-list is not used for source IP selection I don't believe.
You could try this to prove that:
no access-list 10
access-list 10 deny host 192.168.1.8 <--A PC you want to allow to these sites
access-list 10 permit any
You could try this to prove that:
no access-list 10
access-list 10 deny host 192.168.1.8 <--A PC you want to allow to these sites
access-list 10 permit any
ASKER
Yes i did.
ip urlfilter server vendor websense (Ip address)
try apply it to the inbound as IN:
ip inspect test-filter in