Avatar of Techrunner
Techrunner asked on

Allow only certain websites from Cisco Router

Hello EE,

Please help me to configure the router. I have subnet 10.1.1.0/24 point to router as gateway to internet. I want to allow only specific websites through the Router and deny all rest traffic. I have Cisco 2921.

I would highly appreciate any suggestion.

Thanks
RoutersCiscoNetworking Hardware-Other

Avatar of undefined
Last Comment
Jody Lemoine

8/22/2022 - Mon
koudry

I suspect you need an infrastructure Access Control List (ACL). This will sit on your WAN and track your inbound traffic. You will need the IP addresses or subnets of the web sites that you need to permit or block. You can allow a certain protocol and ports, e.g. TCP application of www (port 80), https (port 443) and ftp.

Example:

!
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq www
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq 443
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq ftp
!
interface <WAN-interface>
ip access-group 110 in
!

Open in new window


There are Cisco guides on what to put on your infrastructure ACL including preventing DoS (Denial of Service) attack:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
ASKER
Techrunner

Hi,
Thanks for your response.

This what I have done and its working

access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.8.1

Note: Those are fictitious IP addresses

ip nat inside source list 100 interface gi0/0 overload

ip route 0.0.0.0 0.0.0.0 gi0/0
koudry

The syntax of the ACL does not look right. Since your destination is a single IP as opposed to a subnet, then you need to the "host" keyword to indicate that you are referring to a single IP address, e.g.

!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.8.1
!

If you are 100% certain that the destination IP addresses are for websites only, then you can also configure your ACL to be specific to web traffic using the 3 ports I used above, e.g.

!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq ftp
!

You will need to repeat this for each web site.  

Now that I see you using NAT, I suspect there will be other problems. But before I talk about those, can you tell me if there is a firewall device on the customer side.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Techrunner

Thanks.
At my side, I dont  have firewall ? What could be the NAT problems
What issues could be used my ACL syntax. Actually I don't have requirement to open specific ports. I can just allow IP.
koudry

Since you don't have firewall, you MAY need a security model on the router that comprises of:

(1) Embedded Cisco IOS firewall, i.e. "IP inspect" - goes on the LAN port inbound
(2) Infrastructure ACL like ACL 110 as indicated above - this sits on the WAN port inbound
(3) LAN side ACL - this sits on the LAN port inbound.

The idea is that, all networks from the customer LAN that hit the gateway router, must be vetted. The "IP inspect" firewall rule is that, if traffic is permitted from those networks coming from the customer LAN, return traffic must also be allowed to reach them from the Internet.

The Cisco IOS embedded firewall "IP inspect" will provide a stateful inspection of the traffic through the customer LAN port.  The Cisco stateful embedded IOS firewall configuration looks like this:

!
ip inspect name MyFirewall ftp timeout 3600
ip inspect name MyFirewall rcmd timeout 3600
ip inspect name MyFirewall tftp timeout 3600
ip inspect name MyFirewall udp timeout 600
ip inspect name MyFirewall tcp timeout 300
ip inspect name MyFirewall http java-list 11 timeout 3600      
!
access-list 11 permit any
!

Open in new window


The LAN ACL will look like this:
!
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 deny   ip any any
!

Open in new window


The WAN ACL 110:

!
access-list 110 permit ip  host 1.1.1.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.2.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.3.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.4.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.5.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.6.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.7.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.8.1 10.1.1.0 0.0.0.255
access-list 110 deny   ip any any
!

Open in new window



NAT config

!
!
ip nat translation udp-timeout 600
!
access-list 5 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 5 interface <WAN-interface> overload
!

Open in new window


Putting everything together:

LAN port:

!
interface <LAN-port>
 description Customer Lan
 ip address x.x.x.x 255.255.255.0
 [b]ip access-group 120 in[/b]
[b] ip inspect MyFirewall [/b]
[b] ip nat inside[/b]
!

Open in new window



WAN port:

!
interface <WAN-port>
 ip add x.x.x.x x.x.x.x
[b] ip access-group 110 in[/b]
[b] ip nat outside[/b]
!

Open in new window


The directions of your access lists and firewall, depend on what you are trying to achieve.  The reference material below, cover some scenarios that you may want to take a look at.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
ASKER
Techrunner

Hi.

Also I want to allow the clients to access URLs including the IP addresses


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

I want to know how I can allow specific URL's on router for the subnet 10.1.1.0/24


Thanks
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
koudry

It is possible to use URL on your access list. The way it is implemented on routers, is that you will have to define a domain name on the router. The document below provides some some instructions.

http://www.techrepublic.com/article/block-access-to-a-web-site-using-the-cisco-ios/
ASKER
Techrunner

Hi koudry,

The problem is that website keeps on changing the IP address. I have been advised by verisign to open the following domain instead of IP addresses.


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Is there any to overcome this ?

Thanks
ASKER
Techrunner

Please any help

Thanks
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Jody Lemoine

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Techrunner

Hi,

Thanks for the help. That's what exactly I need.

But need to clarify something, its not accepting wildcard entries

For example I wont allow urls

url1.domain.com
url2.domain.com
url2.domain.com

I have tried its not working *.domain.com
Jody Lemoine

You may be using an older IOS that doesn't handle the wildcards properly. I tested it on 15.1(4)M7 and it's working correctly. What version are you using?
ASKER
Techrunner

Hi

c2900-universalk9-mz.SPA.152-4.M3.bin"
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Techrunner

Also how about router 3725, wildcard entries will work ??
Jody Lemoine

Should work on that IOS. Not sure about the 3725 as it caps out at 12.4(15)T. Will have a look when I get into the office.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Techrunner

Dear Friend,

Thank You Thank You Thank You So Much.....Really I want to say thank you from the bottom of my heart.

You were really helpful.

Just a friendly question, If I need to ask any question related to cisco networks how can I grasp your attention on EE.

Thank you once again.

Samir
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jody Lemoine

I don't know if EE really has a mechanism for flagging a specific expert, but I don't think they do. I try to keep an eye on Cisco-related topics, so it's likely that I'll spot you anyway. :)

Just for the record, the urlfilter functionality was added in 12.2S, so the 3725 shouldn't have any trouble at all.
ASKER
Techrunner

Can I give you personal email so I can send you Experts-exchange linke whenver I open a question.

Thanks
Jody Lemoine

I believe that's against EE's policies, so I don't advise it.

http://support.experts-exchange.com/customer/portal/articles/755976-can-i-post-my-email-address-in-a-question-?b_id=44

I'm a network specialist by trade and I don't always have time to get onto EE, so it's best if you field the question to everyone anyway.

Also, just because I had the answer to this one doesn't mean that I'll have anything for your next question. That's the real power of a community like this one: You get multiple perspectives from different people who know the technology. Then it's just a matter of picking the best solution.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Techrunner

Thanks
ASKER
Techrunner

Hi,

Just forgot to ask 1 thing

What if I want to give full internet access with no restrictions to some clients ? How I can put them in exception from the above defined url filtering.

Thanks
Jody Lemoine

It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.
Your help has saved me hundreds of hours of internet surfing.
fblack61