Link to home
Start Free TrialLog in
Avatar of Eirejp
EirejpFlag for Japan

asked on

Cisco IOS ZBF - Blocking websites with ZBF Parameter Maps?

Hi All,

Trying out ZBFs on my Cisco 1812 running IOS 15.1(4)M.

I seem to have my inspection working for outgoing traffic but I was wanting to block users from reaching certain websites. In this example I am using cnet.com.

I have setup the parameter map called BLOCK with the server names and assigned CMAP2 to inspect http.

Any help to let me know where I sent wrong would be great!
parameter-map type protocol-info BLOCK
 server name cnet.com
 server name www.cnet.com
class-map type inspect match-any CMAP2
 description blocking certain websites
 match protocol http BLOCK
 match protocol https BLOCK
class-map type inspect match-any CMAP1
 description CMAP1 designated for in-to-out traffic
 match protocol bittorrent
 match protocol http
 match protocol https
 match protocol ftp
 match protocol echo
 match protocol telnet
 match protocol msnmsgr
 match protocol ntp
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol ftps
 match protocol icmp
!
!
policy-map type inspect PMAP1
 class type inspect CMAP2
  drop log
 class type inspect CMAP1
  inspect
 class class-default
  drop
zone-pair security in-to-out source inside destination outside
 service-policy type inspect PMAP1

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Frabble
Frabble
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Thanks this helps a lot.

Looking at the commands on the 15.1(M) it looks like things have changed around a bit.

I am guessing it is now urlfpolicy but the options dont seem to be there for domain blocking.

The blockpage commands seems to be url specific rather then domain specific. 
hostname(config)#parameter-map type ?
  consent        Parameter type consent
  inspect        inspect parameter-map
  ooo            TCP out-of-order parameter-map for FW and IPS
  protocol-info  protocol-info parameter-map
  regex          regex parameter-map
  trend-global   Trend global parameter-map
  urlf-glob      URLF glob parameter-map
  urlfpolicy     Parameter maps for urlfilter policy

hostname(config)#parameter-map type urlfpolicy local bad
hostname(config-profile)#?
parameter-map commands:
  alert       Enable alerts
  allow-mode  Turn on/off allow-mode
  block-page  Specify the method to display block page
  exit        Exit from parameter-map
  no          Negate or set default values of a command

hostname(config-profile)#block-page ?
  message       Explanation for block page
  redirect-url  url beginning with http://

Open in new window

Avatar of djcapone
djcapone
Not overly familiar with ZBF, however...

You looked to be in the configuration mode for URL filtering POLICY and the commands you have listed are essentially for the redirect page you would send a user to that attempts to access a blocked web page.

you have:

parameter-map type urlfpolicy
                                ^^^^^
instead of

parameter-map type urlfilter
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Thanks. Actually just found out the command is now hidden

12.4(6)T - This command was introduced.
12.4(15)XZ - This command was removed.

This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy.

Will try it out now.
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Interesting all sites are blocked by the content filtering. 



parameter-map type urlfilter bad-sites
 exclusive-domain deny .cnet.com

class-map type inspect match-any bad-sites-cmap
 match protocol http
class-map type inspect match-any CMAP1
 description CMAP1 designated for in-to-out traffic
 match protocol bittorrent
 match protocol http
 match protocol https
 match protocol ftp
 match protocol echo
 match protocol telnet
 match protocol msnmsgr
 match protocol ntp
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol ftps
 match protocol icmp

policy-map type inspect PMAP1
 class type inspect bad-sites-cmap
  inspect
  urlfilter bad-sites
 class type inspect CMAP1
  inspect
 class class-default
  drop

Open in new window

Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Ok all fixed now. 

parameter-map type urlfilter bad-sites
 allow-mode on   <-- Needs this or it will block everything :)
 exclusive-domain deny .cnet.com

Open in new window


Its fairly limited though because it cannot block https but good to know how to do it.
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Provided a good source an example.

Help to complete majority of the configuration.