Solved

URL Filter on Cisco Router

Posted on 2013-12-14
5
1,588 Views
Last Modified: 2013-12-23
Dear EE,

With reference to my previous questions which is already answered. I forgot to ask clarify 2 things

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28313232.html

However, I would just give some brief.

I have configured our Cisco Router to filter URL's that is to allow only specific URL's and block other website. I have got 2 question this context
 
- How I can apply it only for some specific users ? Meaning for some users I want to give the full access
- I have noticed its filtering HTTPS websites ? How I can deny https websites
 
This my router config

R2#sh running-config
Building configuration...
 
 
Current configuration : 2460 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
ip inspect name cbac-filter http urlfilter
ip inspect name cbac-filter https
!
!
no ip domain lookup
ip urlfilter exclusive-domain permit .youtube.com
ip urlfilter exclusive-domain permit .facebook.com
ip urlfilter exclusive-domain permit .dailymotion.com
 
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

interface FastEthernet0/0
ip address 1.1.1.1  255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.100 255.255.255.0
ip inspect cbac-filter in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
 
TIA and Best Regards
0
Comment
Question by:cciedreamer
  • 3
  • 2
5 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.

Unfortunately, you can't filter HTTPS web sites by URL because the router can't deep-inspect encrypted traffic. If you really need to do this, it's better to put in a proxy server and restrict your traffic at the application level.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

Thanks for your reply
Well I am not sure whether my router supports zone based firewall because

parameter-map type inspect urlfilter

I cannot find allowed mode on/off


Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
You're using the wrong type of parameter map. Try "parameter-map type urlfilter" instead of "parameter-map type inspect" and see if "allow-mode off" is available. There are different commands available depending on the map type.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,
I'll give a try.

Please can you also help me with this question

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28319057.html#a39722045

Thanks I really appreciate your support.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
Comment Utility
Thanks
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now