Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco IOS ZBF - Blocking websites with ZBF Parameter Maps?

Posted on 2011-05-01
7
Medium Priority
?
2,480 Views
Last Modified: 2012-05-11
Hi All,

Trying out ZBFs on my Cisco 1812 running IOS 15.1(4)M.

I seem to have my inspection working for outgoing traffic but I was wanting to block users from reaching certain websites. In this example I am using cnet.com.

I have setup the parameter map called BLOCK with the server names and assigned CMAP2 to inspect http.

Any help to let me know where I sent wrong would be great!
parameter-map type protocol-info BLOCK
 server name cnet.com
 server name www.cnet.com
class-map type inspect match-any CMAP2
 description blocking certain websites
 match protocol http BLOCK
 match protocol https BLOCK
class-map type inspect match-any CMAP1
 description CMAP1 designated for in-to-out traffic
 match protocol bittorrent
 match protocol http
 match protocol https
 match protocol ftp
 match protocol echo
 match protocol telnet
 match protocol msnmsgr
 match protocol ntp
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol ftps
 match protocol icmp
!
!
policy-map type inspect PMAP1
 class type inspect CMAP2
  drop log
 class type inspect CMAP1
  inspect
 class class-default
  drop
zone-pair security in-to-out source inside destination outside
 service-policy type inspect PMAP1

Open in new window

0
Comment
Question by:Eirejp
  • 5
7 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 750 total points
ID: 35502095
The server name and IP addresses in parameter-map type protocol-info are for Instant Messenger inspections.
What I think you want to do is URL filtering. Check out the examples for this in Cisco ZBF reference at:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

In your case it would be something like:

parameter-map type urlfilter BLOCK
 exclusive-domain deny .cnet.com
!
class-map type inspect match-any webstuff-cmap
 match protocol http
 match protocol https
!
policy-map type inspect PMAP1
 class type inspect webstuff-cmap
  inspect
  urlfilter BLOCK
 class type inspect CMAP1
  inspect
etc.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 35502212
Thanks this helps a lot.

Looking at the commands on the 15.1(M) it looks like things have changed around a bit.

I am guessing it is now urlfpolicy but the options dont seem to be there for domain blocking.

The blockpage commands seems to be url specific rather then domain specific.
hostname(config)#parameter-map type ?
  consent        Parameter type consent
  inspect        inspect parameter-map
  ooo            TCP out-of-order parameter-map for FW and IPS
  protocol-info  protocol-info parameter-map
  regex          regex parameter-map
  trend-global   Trend global parameter-map
  urlf-glob      URLF glob parameter-map
  urlfpolicy     Parameter maps for urlfilter policy

hostname(config)#parameter-map type urlfpolicy local bad
hostname(config-profile)#?
parameter-map commands:
  alert       Enable alerts
  allow-mode  Turn on/off allow-mode
  block-page  Specify the method to display block page
  exit        Exit from parameter-map
  no          Negate or set default values of a command

hostname(config-profile)#block-page ?
  message       Explanation for block page
  redirect-url  url beginning with http://

Open in new window

0
 
LVL 6

Expert Comment

by:djcapone
ID: 35502537
Not overly familiar with ZBF, however...

You looked to be in the configuration mode for URL filtering POLICY and the commands you have listed are essentially for the redirect page you would send a user to that attempts to access a blocked web page.

you have:

parameter-map type urlfpolicy
                                ^^^^^
instead of

parameter-map type urlfilter
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
LVL 1

Author Comment

by:Eirejp
ID: 35502558
Thanks. Actually just found out the command is now hidden

12.4(6)T - This command was introduced.
12.4(15)XZ - This command was removed.

This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy.

Will try it out now.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 35502585
Interesting all sites are blocked by the content filtering.



parameter-map type urlfilter bad-sites
 exclusive-domain deny .cnet.com

class-map type inspect match-any bad-sites-cmap
 match protocol http
class-map type inspect match-any CMAP1
 description CMAP1 designated for in-to-out traffic
 match protocol bittorrent
 match protocol http
 match protocol https
 match protocol ftp
 match protocol echo
 match protocol telnet
 match protocol msnmsgr
 match protocol ntp
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol ftps
 match protocol icmp

policy-map type inspect PMAP1
 class type inspect bad-sites-cmap
  inspect
  urlfilter bad-sites
 class type inspect CMAP1
  inspect
 class class-default
  drop

Open in new window

0
 
LVL 1

Author Comment

by:Eirejp
ID: 35695299
Ok all fixed now.

parameter-map type urlfilter bad-sites
 allow-mode on   <-- Needs this or it will block everything :)
 exclusive-domain deny .cnet.com

Open in new window


Its fairly limited though because it cannot block https but good to know how to do it.
0
 
LVL 1

Author Closing Comment

by:Eirejp
ID: 35695303
Provided a good source an example.

Help to complete majority of the configuration.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question