Solved

URL Filter on Cisco Router

Posted on 2013-12-14
5
1,656 Views
Last Modified: 2013-12-23
Dear EE,

With reference to my previous questions which is already answered. I forgot to ask clarify 2 things

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28313232.html

However, I would just give some brief.

I have configured our Cisco Router to filter URL's that is to allow only specific URL's and block other website. I have got 2 question this context
 
- How I can apply it only for some specific users ? Meaning for some users I want to give the full access
- I have noticed its filtering HTTPS websites ? How I can deny https websites
 
This my router config

R2#sh running-config
Building configuration...
 
 
Current configuration : 2460 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
ip inspect name cbac-filter http urlfilter
ip inspect name cbac-filter https
!
!
no ip domain lookup
ip urlfilter exclusive-domain permit .youtube.com
ip urlfilter exclusive-domain permit .facebook.com
ip urlfilter exclusive-domain permit .dailymotion.com
 
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

interface FastEthernet0/0
ip address 1.1.1.1  255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.100 255.255.255.0
ip inspect cbac-filter in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
 
TIA and Best Regards
0
Comment
Question by:cciedreamer
  • 3
  • 2
5 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39719539
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.

Unfortunately, you can't filter HTTPS web sites by URL because the router can't deep-inspect encrypted traffic. If you really need to do this, it's better to put in a proxy server and restrict your traffic at the application level.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39719598
Hi,

Thanks for your reply
Well I am not sure whether my router supports zone based firewall because

parameter-map type inspect urlfilter

I cannot find allowed mode on/off


Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39721359
You're using the wrong type of parameter map. Try "parameter-map type urlfilter" instead of "parameter-map type inspect" and see if "allow-mode off" is available. There are different commands available depending on the map type.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39722062
Hi,
I'll give a try.

Please can you also help me with this question

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28319057.html#a39722045

Thanks I really appreciate your support.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39736219
Thanks
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Edge Routers for BGP 6 96
Windows 2012 R2 HP Proliant 110 Gen9 multiple vlans on one NIC? 11 53
Edge switch problems cisco 2960 25 53
Extended ping 6 31
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question