Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1114
  • Last Modified:

Help with URL Filtering

Hi there. I have applied url filtering on my cisco router 1811. When i block a website from URL Filtering it becomes disabled for all IPs. I dont want this. I want that i can allow a single IP or multiple to have access to the website which i have blocked. Is it possible. Like all the IP going through fa 0 are blocked to the website. Other Website are opening
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.orkut.com
 
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address XXX XXX
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect test-filter out

Open in new window

0
nasirsh
Asked:
nasirsh
  • 11
  • 8
  • 2
1 Solution
 
memo_tntCommented:
hi

ip urlfilter server vendor websense (Ip address)

try apply it to the inbound as IN:

ip inspect test-filter in
0
 
nasirshAuthor Commented:
This will check from the websense server and then decide whether to block or not. Right.
0
 
memo_tntCommented:
yes
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
nasirshAuthor Commented:
But its not what i am doing. I am using the router to block websites via url fitering. By default then i block a website it is blocked to all IPs. I want to exclude a single IP from that list.
0
 
memo_tntCommented:
ok,, here is a sample for exception ip :::

filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
0
 
nasirshAuthor Commented:
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
   ^
% Invalid input detected at '^' marker.


This doesnt work.
0
 
memo_tntCommented:
then create an ACL to allow ro deny whatever you want as the following as a sample:

ip inspect name test-filter http java-list 10

access-list 10 permit any
0
 
nasirshAuthor Commented:
Dont understand
0
 
nasirshAuthor Commented:
ip inspect name test-filter http java-list 10

access-list 10 permit any

when i do this all have access to the blocked websites.
0
 
memo_tntCommented:
you can specify what to allow for a specific rule as the sample i sent before ...

the above sample with ACL 10 permitting everything for the Java applets..

so, use the same idea for your needs ...
0
 
memo_tntCommented:
do it like this

access-list 10 permit host 192.168.1.8
access-list 10 deny any

this will allow only this IP and deny others ....
0
 
nasirshAuthor Commented:
Can this be more clear to you

Building configuration...

Current configuration : 8770 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Sequel_RTR_PK
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
enable secret 5 $1$7FFr$RDX7fVudbKSALggLINHlL/
enable password 7 040B0A021C75195E47
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name sequel4pak.com
ip name-server 203.99.163.240
ip name-server 202.59.80.17
ip name-server 202.59.80.10
ip name-server 203.99.163.243
ip inspect name test-filter appfw test-filter
ip inspect name test-filter https
ip inspect name test-filter http java-list 10 urlfilter audit-trail off
no ip ips sdf builtin
no ip ips notify log
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.cumtv.com
ip urlfilter exclusive-domain deny www.orkut.com
ip sla 1
 icmp-echo 67.222.128.164 source-interface FastEthernet0
 timeout 1000
 threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 67.222.128.164 source-interface FastEthernet1
 timeout 1000
 threshold 1000
ip sla schedule 2 life forever start-time now
!
appfw policy-name test-filter
  application http
    strict-http action reset
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset
    port-misuse im action reset alarm
  application im aol
    service default action reset
    service text-chat action reset
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail off
  application im yahoo
    service default action reset
    service text-chat action reset
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail off
!
!
!
username shazad privilege 0 password 7 095F460803041343595F
username guest privilege 0 password 7 15151E09173E
username nasir privilege 0 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$KHgU$3E7P7PLh.nq57ogGrETvK/
!
!
track 1 rtr 1 reachability
 delay down 15 up 60
!
track 2 rtr 2 reachability
 delay down 15 up 60
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_test-filter
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_kazaa
   drop
 class sdm_p2p_bittorrent
   drop
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address XXXXXX 255.255.255.248
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_test-filter
 service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 switchport access vlan 111
!
interface FastEthernet5
 switchport access vlan 222
!
interface FastEthernet6
 switchport access vlan 400
!
interface FastEthernet7
 switchport access vlan 200
 switchport mode trunk
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 description $FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 description $FW_INSIDE$
 ip address 192.168.0.3 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 description $FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface Vlan400
 description $FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan222
 description VOIP
 ip address 192.168.20.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map voip
!
interface Vlan111
 description Nortel Router
 ip address 192.168.10.2 255.255.255.0
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2XXXXX 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 XXXXX 10
ip route 0.0.0.0 0.0.0.0 192.168.10.1 20
!
ip flow-export version 5
ip flow-export destination 192.168.0.88 2055
ip flow-top-talkers
 top 100
 sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
ip nat inside source route-map voip interface Vlan111 overload
ip nat inside source static tcp 192.168.0.10 21 XXXXX 21 extendable
ip nat inside source static tcp 192.168.0.2 3389 XXXXX 3389 extendable
ip nat inside source static tcp 192.168.0.2 8080 2XXXX 8080 extendable
ip nat inside source static tcp 192.168.5.11 80 XXXX 80 extendable
!
ip access-list extended telnet
 remark SDM_ACL Category=1
 permit ip any any
 remark SDM_ACL Category=1
!
logging trap debugging
logging 192.168.5.55
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny   ip any any
access-list 155 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.4.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.5.0 0.0.0.255 any
access-list 166 permit tcp any any eq www
access-list 166 permit tcp any any eq 3389

!
!
!
route-map voip permit 20
 match ip address 155
 match interface Vlan111
 set ip default next-hop 192.168.10.1
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip default next-hop 202.59.76.177
!
!
!
!
control-plane
!
banner login ^CWelcome to Sequel Systems Inc Router.^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 password 7 095C4F1A0A1218000F
 transport input telnet ssh
 transport output telnet
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
0
 
memo_tntCommented:
try the following,, assuming the IP you want to be allowed is 192.168.1.8..
then:


no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
0
 
memo_tntCommented:
oops

ip urlfilter exclusive-domain deny www.google.com
0
 
nasirshAuthor Commented:
tried it but it didnt work. It still give all users access to all websites
0
 
nasirshAuthor Commented:
ok let me check
0
 
nasirshAuthor Commented:
Nope. No success
0
 
JFrederick29Commented:
I'm not sure you can restrict this to specific IP addresses as CBAC is quite limited in its capabilities (poor man's content filter).  You could look into use zone based (modular) content filtering but you may need to upgrade to get support for the feature.  I'm not 100% sure you can base it on source IP either however.

http://blog.ioshints.info/2009/05/local-content-filtering-in-cisco-ios.html
0
 
nasirshAuthor Commented:
I have tried this thing but it gives access to all the IP instead of only one.

no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
0
 
JFrederick29Commented:
Yeah, the java-list is not used for source IP selection I don't believe.

You could try this to prove that:

no access-list 10
access-list 10 deny host 192.168.1.8   <--A PC you want to allow to these sites
access-list 10 permit any
0
 
nasirshAuthor Commented:
Yes i did.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now