[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 641
  • Last Modified:

Cisco IOS, trouble with access rules

I'm having problems getting ACL to work properly, I'm trying to block a website with no sucess, I've got it set to block incomming traffic from this IP comming in to VLAN 1 any help is greatly appreciated thanks!

running config follows

Building configuration...

Current configuration : 4571 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LABrtr
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
clock timezone Muscat 4
!
crypto pki trustpoint TP-self-signed-2778094852
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2778094852
 revocation-check none
 rsakeypair TP-self-signed-2778094852
!
!
crypto pki certificate chain TP-self-signed-2778094852
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373738 30393438 3532301E 170D3130 30323035 31333431
  31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37373830
  39343835 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A06A 0841F422 3BF19D85 2B9E5E68 D64BC9C2 61BDB02A 4DB987A7 E035FED5
  87C46710 04AB3100 86DDC8A5 B9BA4076 8D196B6E B397B60A A51392A9 80857548
  099366B6 D916F423 9E758F1C B424661A 4A25056A D2921CBA E3242F8A 55DD1C51
  D3FD4CE0 D4C0E4D7 8B918AF3 49E7937B 90364AD3 42001D52 938BD857 81F4E1C8
  426D0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E4C4142 7274722E 6C61622E 636F6D30 1F060355 1D230418
  30168014 9DD3377D 1ED4FD9C A576A779 5F2D7DCB ED57853F 301D0603 551D0E04
  1604149D D3377D1E D4FD9CA5 76A7795F 2D7DCBED 57853F30 0D06092A 864886F7
  0D010104 05000381 8100227B 0A797978 7804DB0F 979DFCEB 4ED3AE57 B84C2605
  53CF1229 59E511CC E9F6E4B9 3F8EFEB9 902DD257 F64FB513 1A13EB77 AFA43557
  ACAB035F B01BA6BB 25678ED0 DC725A10 F1B15372 DDB2DC4A 24448994 40B443CE
  9E70FB55 B8366820 5F6010B2 36D479B1 3988E143 49D2ED8D 0BAB0B0F C455AC22
  2FEDC744 FDCC1085 672C
        quit
ip source-route
ip dhcp excluded-address 192.168.254.1 192.168.254.199
!
ip dhcp pool local
   import all
   network 192.168.254.0 255.255.255.0
   domain-name kaf
   dns-server 62.68.64.12 62.68.64.11
   default-router 192.168.254.1
!
!
ip cef
ip domain name lab.com
ip name-server 62.68.64.12
ip name-server 62.68.64.11
ip name-server 4.2.2.2
!
!
!
!
username jah privilege 15 secret 5 $1$tkc9$8FElZ0XIodnFf9gCLBZID0
!
!
!
archive
 log config
  hidekeys
!
!
no ip rcmd domain-lookup
ip rcmd remote-host sdmR57dc0aa1 192.168.252.4 L57eda768 enable
ip rcmd remote-host sdmRf3a36a86 192.168.252.4 Lf3a36a86 enable
ip rcmd remote-host sdmR94f350d9 192.168.252.200 L94f350d9 enable
ip rcmd remote-username sdmRf3a36a86
!
class-map match-any p2p
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 ip dhcp client hostname kaf
 ip address 10.254.12.210 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 service-module fail-open
 dot1x host-mode single-host
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 service-module fail-open
!
interface Vlan1
 ip address 192.168.254.1 255.255.255.0
 ip access-group YOUTUBE in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.253.2 255.255.255.0
!
interface BVI1
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
ip default-gateway 10.254.12.209
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.254.12.209
ip http server
ip http authentication local
ip http secure-server
!
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 100
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended YOUTUBE
 remark CCP_ACL Category=1
 remark YOUTUBE1
 deny   ip host 74.125.45.100 192.168.254.0 0.0.0.255
 remark YOUTUBE2
 deny   ip host 74.125.67.100 192.168.254.0 0.0.0.255
 remark YOUTUBE3
 deny   ip host 74.125.127.100 192.168.254.0 0.0.0.255
 permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.254.0 0.0.0.255
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 exec prompt timestamp
 no exec
 transport preferred none
 transport input all
line vty 0 4
 login local
 transport input all
 transport output all
!
scheduler max-task-time 5000
end
0
snowmobile74
Asked:
snowmobile74
  • 2
  • 2
  • 2
  • +2
2 Solutions
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

Youtube comes from lot of address, I advise to create a proxy server to handle this problem, or buy content filtering:

https://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/ds_contentfiltering.pdf
0
 
greg wardSystems EngineerCommented:
ip access-list extended YOUTUBE
 remark CCP_ACL Category=1
 remark YOUTUBE1
 deny   ip host 74.125.45.100 any
 remark YOUTUBE2
 deny   ip host 74.125.67.100 any
 remark YOUTUBE3
 deny   ip host 74.125.127.100 any
 permit ip any any log
!

If you add the log at the end you can see what is going through on your log server!
I changed deny all as all traffic to vlan1 is goign to be blocked and this is not applied to vlan2
Greg
0
 
greg wardSystems EngineerCommented:
The easiest way to do this would be to resolve youtube to 127.0.0.1 on your dns server.
 
Greg
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Istvan KalmarHead of IT Security Division Commented:
if you have admin right to all PCs please put as deepdraw said 127.0.0.1 to lmhost file on wondows!
0
 
OzNetNerdCommented:
You can use NBAR and policy maps to block this traffic. I have done it on my router.

Try this:

class-map match-any BLOCKED_SITES
 match protocol http host "*facebook.com*"
 match protocol http host "*youtube.com*"
 match protocol http host "*limewire.com*"
 match protocol http host "*movie6.net*"
!
!
policy-map drop_sites
 class BLOCKED_SITES
  drop
!
interface vlan1
 service-policy output drop_sites
0
 
yuliang11Commented:
you tube has a lot of IP address so basically blocking it using IP address is almost impossible and inefficient. however u can try CBAC firewall or NBAR feature on router , which cisco IOS router can go into application layer to detect and block you tube.

CBAC

http://www.ciscopress.com/articles/article.asp?p=26533&seqNum=5




else u may also use NBAR feature which can block application level traffic , u may configure it to detect "youtube" on HTTP request and take appropriate action


the article below gives a very detailed explanation on NBAR and how to drop the traffic

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html
http://www.cisco-tips.com/blocking-peer-to-peer-using-cisco-ios-nbar/



0
 
nstamoulCommented:
Yep nbar all the way.You cant do it with an acl because as said youtube comes from a lot of addresses.

0
 
OzNetNerdCommented:
As per my post above, I have pasted a working NBAR configuration. Please give that a try and see how you go.

Cheers
0

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now