Solved

URL Filter on Cisco Router

Posted on 2013-12-14
5
1,632 Views
Last Modified: 2013-12-23
Dear EE,

With reference to my previous questions which is already answered. I forgot to ask clarify 2 things

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28313232.html

However, I would just give some brief.

I have configured our Cisco Router to filter URL's that is to allow only specific URL's and block other website. I have got 2 question this context
 
- How I can apply it only for some specific users ? Meaning for some users I want to give the full access
- I have noticed its filtering HTTPS websites ? How I can deny https websites
 
This my router config

R2#sh running-config
Building configuration...
 
 
Current configuration : 2460 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
ip inspect name cbac-filter http urlfilter
ip inspect name cbac-filter https
!
!
no ip domain lookup
ip urlfilter exclusive-domain permit .youtube.com
ip urlfilter exclusive-domain permit .facebook.com
ip urlfilter exclusive-domain permit .dailymotion.com
 
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

interface FastEthernet0/0
ip address 1.1.1.1  255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.100 255.255.255.0
ip inspect cbac-filter in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
 
TIA and Best Regards
0
Comment
Question by:cciedreamer
  • 3
  • 2
5 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39719539
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.

Unfortunately, you can't filter HTTPS web sites by URL because the router can't deep-inspect encrypted traffic. If you really need to do this, it's better to put in a proxy server and restrict your traffic at the application level.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39719598
Hi,

Thanks for your reply
Well I am not sure whether my router supports zone based firewall because

parameter-map type inspect urlfilter

I cannot find allowed mode on/off


Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39721359
You're using the wrong type of parameter map. Try "parameter-map type urlfilter" instead of "parameter-map type inspect" and see if "allow-mode off" is available. There are different commands available depending on the map type.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39722062
Hi,
I'll give a try.

Please can you also help me with this question

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28319057.html#a39722045

Thanks I really appreciate your support.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39736219
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Accessing two networks from one PC 30 105
Linking Cisco Core switches together 6 13
page view and f5 big ip 4 16
NTP configuration on Cisco switch 3 12
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question