Allow only certain websites from Cisco Router

Hello EE,

Please help me to configure the router. I have subnet 10.1.1.0/24 point to router as gateway to internet. I want to allow only specific websites through the Router and deny all rest traffic. I have Cisco 2921.

I would highly appreciate any suggestion.

Thanks
LVL 3
cciedreamerAsked:
Who is Participating?
 
Jody LemoineConnect With a Mentor Network ArchitectCommented:
Here's how you go about it:

ip urlfilter allow-mode off
!
ip urlfilter exclusive-domain permit *.verisign.com
ip urlfilter exclusive-domain permit *.thawte.com
ip urlfilter exclusive-domain permit *.geotrust.com
ip urlfilter exclusive-domain permit *.rapidssl.com
ip urlfilter exclusive-domain permit *.digitalcertvalidation.com
ip urlfilter exclusive-domain permit *.ws.symantec.com
!
ip inspect name cbac-filter http urlfilter
!
interface FastEthernet0/0
 ip inspect cbac-filter in

Replace FastEthernet0/0 with the interface that connects to your 10.1.1.0/24 subnet. This will deep inspect http traffic entering on that interface and deny any request that doesn't contain one of the permitted URL patterns.
0
 
koudryCommented:
I suspect you need an infrastructure Access Control List (ACL). This will sit on your WAN and track your inbound traffic. You will need the IP addresses or subnets of the web sites that you need to permit or block. You can allow a certain protocol and ports, e.g. TCP application of www (port 80), https (port 443) and ftp.

Example:

!
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq www
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq 443
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq ftp
!
interface <WAN-interface>
ip access-group 110 in
!

Open in new window


There are Cisco guides on what to put on your infrastructure ACL including preventing DoS (Denial of Service) attack:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
0
 
cciedreamerAuthor Commented:
Hi,
Thanks for your response.

This what I have done and its working

access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.8.1

Note: Those are fictitious IP addresses

ip nat inside source list 100 interface gi0/0 overload

ip route 0.0.0.0 0.0.0.0 gi0/0
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
koudryCommented:
The syntax of the ACL does not look right. Since your destination is a single IP as opposed to a subnet, then you need to the "host" keyword to indicate that you are referring to a single IP address, e.g.

!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.8.1
!

If you are 100% certain that the destination IP addresses are for websites only, then you can also configure your ACL to be specific to web traffic using the 3 ports I used above, e.g.

!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq ftp
!

You will need to repeat this for each web site.  

Now that I see you using NAT, I suspect there will be other problems. But before I talk about those, can you tell me if there is a firewall device on the customer side.
0
 
cciedreamerAuthor Commented:
Thanks.
At my side, I dont  have firewall ? What could be the NAT problems
What issues could be used my ACL syntax. Actually I don't have requirement to open specific ports. I can just allow IP.
0
 
koudryCommented:
Since you don't have firewall, you MAY need a security model on the router that comprises of:

(1) Embedded Cisco IOS firewall, i.e. "IP inspect" - goes on the LAN port inbound
(2) Infrastructure ACL like ACL 110 as indicated above - this sits on the WAN port inbound
(3) LAN side ACL - this sits on the LAN port inbound.

The idea is that, all networks from the customer LAN that hit the gateway router, must be vetted. The "IP inspect" firewall rule is that, if traffic is permitted from those networks coming from the customer LAN, return traffic must also be allowed to reach them from the Internet.

The Cisco IOS embedded firewall "IP inspect" will provide a stateful inspection of the traffic through the customer LAN port.  The Cisco stateful embedded IOS firewall configuration looks like this:

!
ip inspect name MyFirewall ftp timeout 3600
ip inspect name MyFirewall rcmd timeout 3600
ip inspect name MyFirewall tftp timeout 3600
ip inspect name MyFirewall udp timeout 600
ip inspect name MyFirewall tcp timeout 300
ip inspect name MyFirewall http java-list 11 timeout 3600      
!
access-list 11 permit any
!

Open in new window


The LAN ACL will look like this:
!
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 deny   ip any any
!

Open in new window


The WAN ACL 110:

!
access-list 110 permit ip  host 1.1.1.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.2.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.3.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.4.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.5.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.6.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.7.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.8.1 10.1.1.0 0.0.0.255
access-list 110 deny   ip any any
!

Open in new window



NAT config

!
!
ip nat translation udp-timeout 600
!
access-list 5 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 5 interface <WAN-interface> overload
!

Open in new window


Putting everything together:

LAN port:

!
interface <LAN-port>
 description Customer Lan
 ip address x.x.x.x 255.255.255.0
 [b]ip access-group 120 in[/b]
[b] ip inspect MyFirewall [/b]
[b] ip nat inside[/b]
!

Open in new window



WAN port:

!
interface <WAN-port>
 ip add x.x.x.x x.x.x.x
[b] ip access-group 110 in[/b]
[b] ip nat outside[/b]
!

Open in new window


The directions of your access lists and firewall, depend on what you are trying to achieve.  The reference material below, cover some scenarios that you may want to take a look at.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
cciedreamerAuthor Commented:
Hi.

Also I want to allow the clients to access URLs including the IP addresses


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

I want to know how I can allow specific URL's on router for the subnet 10.1.1.0/24


Thanks
0
 
koudryCommented:
It is possible to use URL on your access list. The way it is implemented on routers, is that you will have to define a domain name on the router. The document below provides some some instructions.

http://www.techrepublic.com/article/block-access-to-a-web-site-using-the-cisco-ios/
0
 
cciedreamerAuthor Commented:
Hi koudry,

The problem is that website keeps on changing the IP address. I have been advised by verisign to open the following domain instead of IP addresses.


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Is there any to overcome this ?

Thanks
0
 
cciedreamerAuthor Commented:
Please any help

Thanks
0
 
cciedreamerAuthor Commented:
Hi,

Thanks for the help. That's what exactly I need.

But need to clarify something, its not accepting wildcard entries

For example I wont allow urls

url1.domain.com
url2.domain.com
url2.domain.com

I have tried its not working *.domain.com
0
 
Jody LemoineNetwork ArchitectCommented:
You may be using an older IOS that doesn't handle the wildcards properly. I tested it on 15.1(4)M7 and it's working correctly. What version are you using?
0
 
cciedreamerAuthor Commented:
Hi

c2900-universalk9-mz.SPA.152-4.M3.bin"
0
 
cciedreamerAuthor Commented:
Also how about router 3725, wildcard entries will work ??
0
 
Jody LemoineNetwork ArchitectCommented:
Should work on that IOS. Not sure about the 3725 as it caps out at 12.4(15)T. Will have a look when I get into the office.
0
 
Jody LemoineConnect With a Mentor Network ArchitectCommented:
Although I have it working with *.domain.com, the documentation examples leave off the asterisk. Try this and see if it works any better:

ip urlfilter exclusive-domain permit .verisign.com

Jody
0
 
cciedreamerAuthor Commented:
Dear Friend,

Thank You Thank You Thank You So Much.....Really I want to say thank you from the bottom of my heart.

You were really helpful.

Just a friendly question, If I need to ask any question related to cisco networks how can I grasp your attention on EE.

Thank you once again.

Samir
0
 
Jody LemoineNetwork ArchitectCommented:
I don't know if EE really has a mechanism for flagging a specific expert, but I don't think they do. I try to keep an eye on Cisco-related topics, so it's likely that I'll spot you anyway. :)

Just for the record, the urlfilter functionality was added in 12.2S, so the 3725 shouldn't have any trouble at all.
0
 
cciedreamerAuthor Commented:
Can I give you personal email so I can send you Experts-exchange linke whenver I open a question.

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
I believe that's against EE's policies, so I don't advise it.

http://support.experts-exchange.com/customer/portal/articles/755976-can-i-post-my-email-address-in-a-question-?b_id=44

I'm a network specialist by trade and I don't always have time to get onto EE, so it's best if you field the question to everyone anyway.

Also, just because I had the answer to this one doesn't mean that I'll have anything for your next question. That's the real power of a community like this one: You get multiple perspectives from different people who know the technology. Then it's just a matter of picking the best solution.
0
 
cciedreamerAuthor Commented:
Thanks
0
 
cciedreamerAuthor Commented:
Hi,

Just forgot to ask 1 thing

What if I want to give full internet access with no restrictions to some clients ? How I can put them in exception from the above defined url filtering.

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.