06-06-2007 12:47 PM - edited 03-05-2019 04:32 PM
how can i block specific web sites ?
and how to block some specific extensions from being downloading ??????
06-06-2007 01:23 PM
There's a bevvu of firewall products out there that can do that. ASA series in Cisco's case
06-06-2007 02:22 PM
i don't know how that's why i'm asking
i'm using router 827 and ios 12.2
is it helpful?
06-07-2007 01:02 AM
you need the firewall feature set. If you want to control what extensions are being downloaded (assuming you mean java applets for example) you need to use CBAC and that's a feature of the firewall feature set. You can also block specific URLs.
Assuming you can install the FW version try using SDM to configure the router.
06-07-2007 02:17 AM
Hi,
you can use NBAR to match the traffic to drop, then use a solution like ACL/PBR (best for performance) to deny/route to Null0.
See that for example:
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml
HTH
Andrea
06-09-2007 04:24 AM
sorry i'm not expert to do that
can u give me an example
at least
how can i block rar extension
and block www.google.com
?
06-09-2007 04:42 AM
Hi,
The logic is that simple, i'll try to simplfy 2 methods, and you can use any of them, the first method is to match what you want via NBAR (match protocol), and then to police it.
class-map match-any http
match protocol http url "*www.google.com*"
match protocol http url "*.rar*"
interface fastehternet 0/0
service-policy input drop-http
policy-map drop-http
class http
police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
The second method method is to mark the traffic on the ingress on the Ethernet port and then deny it on the egress at the serial port:
class-map match-any http
match protocol http url "*www.google.com*"
match protocol http url "*.rar*"
policy-map mark-http
class http
set dscp 1
interface FastEthernet0/0
service-policy input mark-http
interface Serial1/0.1 point-to-point
ip access-group 101 in
ip access-group 101 out
access-list 103 deny ip any any dscp 1
access-list 103 permit ip any any
I hope that i've been informative, please never hesitate for further questions.
HTH, please do rate all helpful replies using the scroll box on the right,
Mohammed Mahmoud.
06-09-2007 05:49 AM
Just another example:
class-map match-any DropTraffic
match protocol http url "*www.google.com*"
match protocol http url "*.rar*"
policy-map mark-DropTraffic
class DropTraffic
set dscp 1
interface FastEthernet0/0
service-policy input mark-DropTraffic
interface Serial1/0.1 point-to-point
ip policy route-map null_policy_route
route-map null_policy_route 10
match ip dscp 1
set interface Null0
HTH
Andrea
06-09-2007 01:26 PM
this is the result
hanymanyy(config-cmap)#match protocol http url "*www.google.com*"
^
% Invalid input detected at '^' marker.
it's wrong at http
i don't know the wrong
do u?
06-09-2007 01:39 PM
Hi,
Can you please try this, and past the output:
hanymanyy(config-cmap)#match protocol ?
or
hanymanyy(config-cmap)#match p?
BR,
Mohammed Mahmoud.
06-09-2007 01:46 PM
Hi,
Unfortunately according to Cisco Feature Navigator, NBAR is not supported on your Cisco 827, please check it out:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
HTH,
Mohammed Mahmoud.
06-09-2007 07:38 PM
yes correct, I've made a mistake, 8xx supports NBAR but not 827 :(
As David says, you could use a solution like that:
http://www.cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml
"Configuring Cisco IOS URL Filtering Using the Command-Line Interface (CLI)"
HTH
Andrea
06-10-2007 03:14 AM
sorry again
can u give me an example?
06-10-2007 06:02 AM
Hi,
what about using a web proxy like squid with a url filter like squidguard, dansguardian and so on?
http://www.squid-cache.org/Misc/related-software.dyn
Probably is the easy way for you.
HTH
Andrea
06-10-2007 10:35 AM
sorry again
is there any acl which deny downloading some specific files? with an example
and another acl to deny some specific site?
with no tools or devices
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: