Solved

Allow only certain websites from Cisco Router

Posted on 2013-12-07
23
1,007 Views
Last Modified: 2013-12-14
Hello EE,

Please help me to configure the router. I have subnet 10.1.1.0/24 point to router as gateway to internet. I want to allow only specific websites through the Router and deny all rest traffic. I have Cisco 2921.

I would highly appreciate any suggestion.

Thanks
0
Comment
Question by:cciedreamer
  • 12
  • 7
  • 4
23 Comments
 
LVL 10

Expert Comment

by:koudry
Comment Utility
I suspect you need an infrastructure Access Control List (ACL). This will sit on your WAN and track your inbound traffic. You will need the IP addresses or subnets of the web sites that you need to permit or block. You can allow a certain protocol and ports, e.g. TCP application of www (port 80), https (port 443) and ftp.

Example:

!
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq www
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq 443
access-list 110 permit tcp host <website IP> 10.1.1.0 0.0.0.255 eq ftp
!
interface <WAN-interface>
ip access-group 110 in
!

Open in new window


There are Cisco guides on what to put on your infrastructure ACL including preventing DoS (Denial of Service) attack:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,
Thanks for your response.

This what I have done and its working

access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.8.1

Note: Those are fictitious IP addresses

ip nat inside source list 100 interface gi0/0 overload

ip route 0.0.0.0 0.0.0.0 gi0/0
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
The syntax of the ACL does not look right. Since your destination is a single IP as opposed to a subnet, then you need to the "host" keyword to indicate that you are referring to a single IP address, e.g.

!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.2.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.3.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.4.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.5.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.6.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.7.1
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 1.1.8.1
!

If you are 100% certain that the destination IP addresses are for websites only, then you can also configure your ACL to be specific to web traffic using the 3 ports I used above, e.g.

!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 1.1.1.1 eq ftp
!

You will need to repeat this for each web site.  

Now that I see you using NAT, I suspect there will be other problems. But before I talk about those, can you tell me if there is a firewall device on the customer side.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks.
At my side, I dont  have firewall ? What could be the NAT problems
What issues could be used my ACL syntax. Actually I don't have requirement to open specific ports. I can just allow IP.
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Since you don't have firewall, you MAY need a security model on the router that comprises of:

(1) Embedded Cisco IOS firewall, i.e. "IP inspect" - goes on the LAN port inbound
(2) Infrastructure ACL like ACL 110 as indicated above - this sits on the WAN port inbound
(3) LAN side ACL - this sits on the LAN port inbound.

The idea is that, all networks from the customer LAN that hit the gateway router, must be vetted. The "IP inspect" firewall rule is that, if traffic is permitted from those networks coming from the customer LAN, return traffic must also be allowed to reach them from the Internet.

The Cisco IOS embedded firewall "IP inspect" will provide a stateful inspection of the traffic through the customer LAN port.  The Cisco stateful embedded IOS firewall configuration looks like this:

!
ip inspect name MyFirewall ftp timeout 3600
ip inspect name MyFirewall rcmd timeout 3600
ip inspect name MyFirewall tftp timeout 3600
ip inspect name MyFirewall udp timeout 600
ip inspect name MyFirewall tcp timeout 300
ip inspect name MyFirewall http java-list 11 timeout 3600      
!
access-list 11 permit any
!

Open in new window


The LAN ACL will look like this:
!
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 deny   ip any any
!

Open in new window


The WAN ACL 110:

!
access-list 110 permit ip  host 1.1.1.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.2.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.3.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.4.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.5.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.6.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.7.1 10.1.1.0 0.0.0.255
access-list 110 permit ip  host 1.1.8.1 10.1.1.0 0.0.0.255
access-list 110 deny   ip any any
!

Open in new window



NAT config

!
!
ip nat translation udp-timeout 600
!
access-list 5 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 5 interface <WAN-interface> overload
!

Open in new window


Putting everything together:

LAN port:

!
interface <LAN-port>
 description Customer Lan
 ip address x.x.x.x 255.255.255.0
 [b]ip access-group 120 in[/b]
[b] ip inspect MyFirewall [/b]
[b] ip nat inside[/b]
!

Open in new window



WAN port:

!
interface <WAN-port>
 ip add x.x.x.x x.x.x.x
[b] ip access-group 110 in[/b]
[b] ip nat outside[/b]
!

Open in new window


The directions of your access lists and firewall, depend on what you are trying to achieve.  The reference material below, cover some scenarios that you may want to take a look at.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi.

Also I want to allow the clients to access URLs including the IP addresses


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

I want to know how I can allow specific URL's on router for the subnet 10.1.1.0/24


Thanks
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
It is possible to use URL on your access list. The way it is implemented on routers, is that you will have to define a domain name on the router. The document below provides some some instructions.

http://www.techrepublic.com/article/block-access-to-a-web-site-using-the-cisco-ios/
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi koudry,

The problem is that website keeps on changing the IP address. I have been advised by verisign to open the following domain instead of IP addresses.


*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Is there any to overcome this ?

Thanks
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Please any help

Thanks
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
Here's how you go about it:

ip urlfilter allow-mode off
!
ip urlfilter exclusive-domain permit *.verisign.com
ip urlfilter exclusive-domain permit *.thawte.com
ip urlfilter exclusive-domain permit *.geotrust.com
ip urlfilter exclusive-domain permit *.rapidssl.com
ip urlfilter exclusive-domain permit *.digitalcertvalidation.com
ip urlfilter exclusive-domain permit *.ws.symantec.com
!
ip inspect name cbac-filter http urlfilter
!
interface FastEthernet0/0
 ip inspect cbac-filter in

Replace FastEthernet0/0 with the interface that connects to your 10.1.1.0/24 subnet. This will deep inspect http traffic entering on that interface and deny any request that doesn't contain one of the permitted URL patterns.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

Thanks for the help. That's what exactly I need.

But need to clarify something, its not accepting wildcard entries

For example I wont allow urls

url1.domain.com
url2.domain.com
url2.domain.com

I have tried its not working *.domain.com
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
You may be using an older IOS that doesn't handle the wildcards properly. I tested it on 15.1(4)M7 and it's working correctly. What version are you using?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi

c2900-universalk9-mz.SPA.152-4.M3.bin"
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Also how about router 3725, wildcard entries will work ??
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Should work on that IOS. Not sure about the 3725 as it caps out at 12.4(15)T. Will have a look when I get into the office.
0
 
LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 500 total points
Comment Utility
Although I have it working with *.domain.com, the documentation examples leave off the asterisk. Try this and see if it works any better:

ip urlfilter exclusive-domain permit .verisign.com

Jody
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Dear Friend,

Thank You Thank You Thank You So Much.....Really I want to say thank you from the bottom of my heart.

You were really helpful.

Just a friendly question, If I need to ask any question related to cisco networks how can I grasp your attention on EE.

Thank you once again.

Samir
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
I don't know if EE really has a mechanism for flagging a specific expert, but I don't think they do. I try to keep an eye on Cisco-related topics, so it's likely that I'll spot you anyway. :)

Just for the record, the urlfilter functionality was added in 12.2S, so the 3725 shouldn't have any trouble at all.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Can I give you personal email so I can send you Experts-exchange linke whenver I open a question.

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
I believe that's against EE's policies, so I don't advise it.

http://support.experts-exchange.com/customer/portal/articles/755976-can-i-post-my-email-address-in-a-question-?b_id=44

I'm a network specialist by trade and I don't always have time to get onto EE, so it's best if you field the question to everyone anyway.

Also, just because I had the answer to this one doesn't mean that I'll have anything for your next question. That's the real power of a community like this one: You get multiple perspectives from different people who know the technology. Then it's just a matter of picking the best solution.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
Comment Utility
Thanks
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

Just forgot to ask 1 thing

What if I want to give full internet access with no restrictions to some clients ? How I can put them in exception from the above defined url filtering.

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now