• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1854
  • Last Modified:

URL Filter on Cisco Router

Dear EE,

With reference to my previous questions which is already answered. I forgot to ask clarify 2 things

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28313232.html

However, I would just give some brief.

I have configured our Cisco Router to filter URL's that is to allow only specific URL's and block other website. I have got 2 question this context
 
- How I can apply it only for some specific users ? Meaning for some users I want to give the full access
- I have noticed its filtering HTTPS websites ? How I can deny https websites
 
This my router config

R2#sh running-config
Building configuration...
 
 
Current configuration : 2460 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
ip inspect name cbac-filter http urlfilter
ip inspect name cbac-filter https
!
!
no ip domain lookup
ip urlfilter exclusive-domain permit .youtube.com
ip urlfilter exclusive-domain permit .facebook.com
ip urlfilter exclusive-domain permit .dailymotion.com
 
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

interface FastEthernet0/0
ip address 1.1.1.1  255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.100 255.255.255.0
ip inspect cbac-filter in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
 
TIA and Best Regards
0
cciedreamer
Asked:
cciedreamer
  • 3
  • 2
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
It's a bit more involved if you want to have granular control. Rather than using the global "ip inspect" approach, you need to rip all of that out and go with a Zone-based Policy Firewall configuration.

parameter-map type urlfilter pmap-urls
 allow-mode off
 exclusive-domain permit .verisign.com
 exclusive-domain permit .thawte.com
 exclusive-domain permit .geotrust.com
 exclusive-domain permit .rapidssl.com
 exclusive-domain permit .digitalcertvalidation.com
 exclusive-domain permit .ws.symantec.com
!
class-map type inspect match-all cm-http-restricted
 match access-group name acl-http-restricted
 match protocol http
!
class-map type inspect match-any cm-other
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm-inside-out
 class type inspect cm-http-restricted
  inspect
  urlfilter pmap-urls
 class cm-other
  inspect
!
ip access-list extended acl-http-restricted
 permit ip 10.1.1.0 0.0.0.255 any
!
zone security zone-inside
zone security zone-outside
!
interface FastEthernet0/0
 zone-member security zone-inside
!
interface FastEthernet0/1
 zone-member security zone-outside
!
zone-pair security inside-out source zone-inside destination zone-outside
  service-policy type inspect pm-inside-out

I've used FastEthernet0/0 for your LAN interface and FastEthernet0/1 as your WAN interface. Adjust names as necessary.

Any HTTP traffic that is permitted by the ACL will be subject to the restriction policy. Anything that is denied by the ACL will fall through to the cm-other class and will be unrestricted.

Unfortunately, you can't filter HTTPS web sites by URL because the router can't deep-inspect encrypted traffic. If you really need to do this, it's better to put in a proxy server and restrict your traffic at the application level.
0
 
cciedreamerAuthor Commented:
Hi,

Thanks for your reply
Well I am not sure whether my router supports zone based firewall because

parameter-map type inspect urlfilter

I cannot find allowed mode on/off


Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
You're using the wrong type of parameter map. Try "parameter-map type urlfilter" instead of "parameter-map type inspect" and see if "allow-mode off" is available. There are different commands available depending on the map type.
0
 
cciedreamerAuthor Commented:
Hi,
I'll give a try.

Please can you also help me with this question

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28319057.html#a39722045

Thanks I really appreciate your support.
0
 
cciedreamerAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now