Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5189
  • Last Modified:

How to block youtube.com on my cisco router?

Hi

see when i apply acl to block youtube.com it works like this
13 deny tcp host 192.168.4.1 host 74.125.127.100 eq www (6 matches)
 but as u know these big guns ususally changes their site address dynamicly so acl is not working after youtube.com changes its ip any other thing that can block sites on dns base on cisco router?

all single ip based wesites are working like ciscoblog.com like this
14 deny tcp host 192.168.4.1 host 69.89.31.207 eq www (5 matches)

but on sites like youtube.com acl is  not working so please guide me what can be solution in this situation my router is on c7200 series its ios version is 12.4.

Thanks
0
dontdig
Asked:
dontdig
  • 8
  • 7
1 Solution
 
Vito_CorleoneCommented:
You can try this:

class-map match-any scum
 match protocol http url "*youtube*
!
policy-map die-scum
 class scum
  drop
!
interface <outside int>
 service-policy input die-scum

Basically just a modified version of this:

http://blogs.interfacett.com/mike-storm/2006/11/16/save-our-internet-bandwidth.html
0
 
Istvan KalmarHead of IT Security Division Commented:
HI,,

Short answer: No, longer you able that, but manually deny ip addresses:

Using ACLs is the hard way actually but you can use it if you want!
Open up your command prompt type nslookup www.youtube.com >>>> a list with several ip addresses would come up you need to block traffic to and from them using an ACL and to make things worse do nslookup myspace.com a different list would come up those also needs to be blocked, same applies to facebook for example


however this requires some design considerations.
================
example for using the ACL

R1(config)#ip access-list extended BLOCK
R1(config-ext-nacl)#deny ip host 216.178.38.131 any
R1(config-ext-nacl)#deny ip any host 216.178.38.131
R1(config-ext-nacl)#deny ip host  216.178.39.14 any
R1(config-ext-nacl)#deny ip any host  216.178.39.14
...........................    <><<<<<<< Insert all ip addresses here
R1(config-ext-nacl)#permit ip any any  <<<<<<<<<< dont forget this


R1(config-if)#ip access-group BLOCK in   <><<<< Apply this ACL to your LAN interface
R1(config-if)#ip access-group BLOCK out
0
 
dontdigAuthor Commented:
thanks for replying

i tried as u described  but it didnt work!! youtube.com is still working shamelessly.... :-(
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Istvan KalmarHead of IT Security Division Commented:
it has a lot if IP addresses... I this case I advise to use a Proxy server, or local DNS, which is blocking youtube domain....
0
 
dontdigAuthor Commented:
i know alternatives like using an regex option in squid for "youtube"  but i wanted to learn via cisco router ..anything else u wanna suggest for this situation that can be done only by cisco router?

0
 
dontdigAuthor Commented:
@iklamar

actually its working but for now only  i put all addresses there but  it wil work for short period of time for instance one day

thanks
0
 
Istvan KalmarHead of IT Security Division Commented:
0
 
Istvan KalmarHead of IT Security Division Commented:
sorry not this link the good, I searching tthat you want...
0
 
Istvan KalmarHead of IT Security Division Commented:
0
 
dontdigAuthor Commented:
ok thanks for link but iam not getting this what it is exactly and how can i  learn more on it actually iam  CCNA student but wanna dig deeper ;-)
0
 
dontdigAuthor Commented:
one last thing may i know how to block yahoo messenger via cisco router?
0
 
Istvan KalmarHead of IT Security Division Commented:
0
 
dontdigAuthor Commented:
@ikalmar

when i start following above article it gives me error

Router(config)#ip cef
access-list extended NAT_FILTERING cef
            ^
% Invalid input detected at '^' marker.

Router(config)#

this router has NAT/PAT enabled is this can be reason? but if i disable this  internet wont work for clients!!
0
 
Istvan KalmarHead of IT Security Division Commented:
the right command is:

ip access-list extended NAT_FILTERING
0
 
dontdigAuthor Commented:
man iam talking about ip cef not abt named acl
0
 
dontdigAuthor Commented:
Thanks man

Sorry for delay ;-D
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now