Solved

Help with URL Filtering

Posted on 2009-06-30
21
1,036 Views
Last Modified: 2012-06-27
Hi there. I have applied url filtering on my cisco router 1811. When i block a website from URL Filtering it becomes disabled for all IPs. I dont want this. I want that i can allow a single IP or multiple to have access to the website which i have blocked. Is it possible. Like all the IP going through fa 0 are blocked to the website. Other Website are opening
ip urlfilter allow-mode on

ip urlfilter exclusive-domain deny www.youtube.com

ip urlfilter exclusive-domain deny www.facebook.com

ip urlfilter exclusive-domain deny www.hebusx.com

ip urlfilter exclusive-domain deny www.orkut.com
 

interface FastEthernet0

 description $ETH-WAN$$FW_OUTSIDE$

 ip address XXX XXX

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat outside

 ip inspect test-filter out

Open in new window

0
Comment
Question by:nasirsh
  • 11
  • 8
  • 2
21 Comments
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
hi

ip urlfilter server vendor websense (Ip address)

try apply it to the inbound as IN:

ip inspect test-filter in
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
This will check from the websense server and then decide whether to block or not. Right.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
yes
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
But its not what i am doing. I am using the router to block websites via url fitering. By default then i block a website it is blocked to all IPs. I want to exclude a single IP from that list.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
ok,, here is a sample for exception ip :::

filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
   ^
% Invalid input detected at '^' marker.


This doesnt work.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
then create an ACL to allow ro deny whatever you want as the following as a sample:

ip inspect name test-filter http java-list 10

access-list 10 permit any
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
Dont understand
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
ip inspect name test-filter http java-list 10

access-list 10 permit any

when i do this all have access to the blocked websites.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
you can specify what to allow for a specific rule as the sample i sent before ...

the above sample with ACL 10 permitting everything for the Java applets..

so, use the same idea for your needs ...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
do it like this

access-list 10 permit host 192.168.1.8
access-list 10 deny any

this will allow only this IP and deny others ....
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
Can this be more clear to you

Building configuration...

Current configuration : 8770 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Sequel_RTR_PK
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
enable secret 5 $1$7FFr$RDX7fVudbKSALggLINHlL/
enable password 7 040B0A021C75195E47
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name sequel4pak.com
ip name-server 203.99.163.240
ip name-server 202.59.80.17
ip name-server 202.59.80.10
ip name-server 203.99.163.243
ip inspect name test-filter appfw test-filter
ip inspect name test-filter https
ip inspect name test-filter http java-list 10 urlfilter audit-trail off
no ip ips sdf builtin
no ip ips notify log
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.youtube.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny www.hebusx.com
ip urlfilter exclusive-domain deny www.cumtv.com
ip urlfilter exclusive-domain deny www.orkut.com
ip sla 1
 icmp-echo 67.222.128.164 source-interface FastEthernet0
 timeout 1000
 threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 67.222.128.164 source-interface FastEthernet1
 timeout 1000
 threshold 1000
ip sla schedule 2 life forever start-time now
!
appfw policy-name test-filter
  application http
    strict-http action reset
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset
    port-misuse im action reset alarm
  application im aol
    service default action reset
    service text-chat action reset
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail off
  application im yahoo
    service default action reset
    service text-chat action reset
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail off
!
!
!
username shazad privilege 0 password 7 095F460803041343595F
username guest privilege 0 password 7 15151E09173E
username nasir privilege 0 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$KHgU$3E7P7PLh.nq57ogGrETvK/
!
!
track 1 rtr 1 reachability
 delay down 15 up 60
!
track 2 rtr 2 reachability
 delay down 15 up 60
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_test-filter
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_kazaa
   drop
 class sdm_p2p_bittorrent
   drop
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address XXXXXX 255.255.255.248
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_test-filter
 service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_test-filter
service-policy output sdmappfwp2p_test-filter
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 switchport access vlan 111
!
interface FastEthernet5
 switchport access vlan 222
!
interface FastEthernet6
 switchport access vlan 400
!
interface FastEthernet7
 switchport access vlan 200
 switchport mode trunk
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 description $FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 description $FW_INSIDE$
 ip address 192.168.0.3 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 description $FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface Vlan400
 description $FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan222
 description VOIP
 ip address 192.168.20.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip policy route-map voip
!
interface Vlan111
 description Nortel Router
 ip address 192.168.10.2 255.255.255.0
 ip nat outside
 ip inspect test-filter out
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2XXXXX 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 XXXXX 10
ip route 0.0.0.0 0.0.0.0 192.168.10.1 20
!
ip flow-export version 5
ip flow-export destination 192.168.0.88 2055
ip flow-top-talkers
 top 100
 sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
ip nat inside source route-map voip interface Vlan111 overload
ip nat inside source static tcp 192.168.0.10 21 XXXXX 21 extendable
ip nat inside source static tcp 192.168.0.2 3389 XXXXX 3389 extendable
ip nat inside source static tcp 192.168.0.2 8080 2XXXX 8080 extendable
ip nat inside source static tcp 192.168.5.11 80 XXXX 80 extendable
!
ip access-list extended telnet
 remark SDM_ACL Category=1
 permit ip any any
 remark SDM_ACL Category=1
!
logging trap debugging
logging 192.168.5.55
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny   ip any any
access-list 155 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.4.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.5.0 0.0.0.255 any
access-list 166 permit tcp any any eq www
access-list 166 permit tcp any any eq 3389

!
!
!
route-map voip permit 20
 match ip address 155
 match interface Vlan111
 set ip default next-hop 192.168.10.1
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip default next-hop 202.59.76.177
!
!
!
!
control-plane
!
banner login ^CWelcome to Sequel Systems Inc Router.^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 password 7 095C4F1A0A1218000F
 transport input telnet ssh
 transport output telnet
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
try the following,, assuming the IP you want to be allowed is 192.168.1.8..
then:


no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
oops

ip urlfilter exclusive-domain deny www.google.com
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
tried it but it didnt work. It still give all users access to all websites
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
ok let me check
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
Nope. No success
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
I'm not sure you can restrict this to specific IP addresses as CBAC is quite limited in its capabilities (poor man's content filter).  You could look into use zone based (modular) content filtering but you may need to upgrade to get support for the feature.  I'm not 100% sure you can base it on source IP either however.

http://blog.ioshints.info/2009/05/local-content-filtering-in-cisco-ios.html
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
I have tried this thing but it gives access to all the IP instead of only one.

no ip inspect name test-filter http java-list 10 urlfilter audit-trail off
!
ip inspect name test-filter http urlfilter audit-trail off
ip inspect name test-filter http java-list 10
ip urlfilter exclusive-domain permit www.google.com
!
!
access-list 10 permit host 192.168.1.8
access-list 10 deny any
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Yeah, the java-list is not used for source IP selection I don't believe.

You could try this to prove that:

no access-list 10
access-list 10 deny host 192.168.1.8   <--A PC you want to allow to these sites
access-list 10 permit any
0
 
LVL 4

Author Comment

by:nasirsh
Comment Utility
Yes i did.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now