Eirejp
asked on
Cisco IOS ZBF - Blocking websites with ZBF Parameter Maps?
Hi All,
Trying out ZBFs on my Cisco 1812 running IOS 15.1(4)M.
I seem to have my inspection working for outgoing traffic but I was wanting to block users from reaching certain websites. In this example I am using cnet.com.
I have setup the parameter map called BLOCK with the server names and assigned CMAP2 to inspect http.
Any help to let me know where I sent wrong would be great!
Trying out ZBFs on my Cisco 1812 running IOS 15.1(4)M.
I seem to have my inspection working for outgoing traffic but I was wanting to block users from reaching certain websites. In this example I am using cnet.com.
I have setup the parameter map called BLOCK with the server names and assigned CMAP2 to inspect http.
Any help to let me know where I sent wrong would be great!
parameter-map type protocol-info BLOCK
server name cnet.com
server name www.cnet.com
class-map type inspect match-any CMAP2
description blocking certain websites
match protocol http BLOCK
match protocol https BLOCK
class-map type inspect match-any CMAP1
description CMAP1 designated for in-to-out traffic
match protocol bittorrent
match protocol http
match protocol https
match protocol ftp
match protocol echo
match protocol telnet
match protocol msnmsgr
match protocol ntp
match protocol smtp
match protocol pop3
match protocol pop3s
match protocol ftps
match protocol icmp
!
!
policy-map type inspect PMAP1
class type inspect CMAP2
drop log
class type inspect CMAP1
inspect
class class-default
drop
zone-pair security in-to-out source inside destination outside
service-policy type inspect PMAP1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not overly familiar with ZBF, however...
You looked to be in the configuration mode for URL filtering POLICY and the commands you have listed are essentially for the redirect page you would send a user to that attempts to access a blocked web page.
you have:
parameter-map type urlfpolicy
^^^^^
instead of
parameter-map type urlfilter
You looked to be in the configuration mode for URL filtering POLICY and the commands you have listed are essentially for the redirect page you would send a user to that attempts to access a blocked web page.
you have:
parameter-map type urlfpolicy
^^^^^
instead of
parameter-map type urlfilter
ASKER
Thanks. Actually just found out the command is now hidden
12.4(6)T - This command was introduced.
12.4(15)XZ - This command was removed.
This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy.
Will try it out now.
12.4(6)T - This command was introduced.
12.4(15)XZ - This command was removed.
This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy.
Will try it out now.
ASKER
Interesting all sites are blocked by the content filtering.
parameter-map type urlfilter bad-sites
exclusive-domain deny .cnet.com
class-map type inspect match-any bad-sites-cmap
match protocol http
class-map type inspect match-any CMAP1
description CMAP1 designated for in-to-out traffic
match protocol bittorrent
match protocol http
match protocol https
match protocol ftp
match protocol echo
match protocol telnet
match protocol msnmsgr
match protocol ntp
match protocol smtp
match protocol pop3
match protocol pop3s
match protocol ftps
match protocol icmp
policy-map type inspect PMAP1
class type inspect bad-sites-cmap
inspect
urlfilter bad-sites
class type inspect CMAP1
inspect
class class-default
drop
ASKER
Ok all fixed now.
Its fairly limited though because it cannot block https but good to know how to do it.
parameter-map type urlfilter bad-sites
allow-mode on <-- Needs this or it will block everything :)
exclusive-domain deny .cnet.com
Its fairly limited though because it cannot block https but good to know how to do it.
ASKER
Provided a good source an example.
Help to complete majority of the configuration.
Help to complete majority of the configuration.
ASKER
Looking at the commands on the 15.1(M) it looks like things have changed around a bit.
I am guessing it is now urlfpolicy but the options dont seem to be there for domain blocking.
The blockpage commands seems to be url specific rather then domain specific.
Open in new window