08-01-2008 07:44 PM - edited 03-10-2019 04:00 PM
I am a little lost and have burned a lot of time on URL filtering.
Setup 1812 router, IOS 12.4(15) T3, SDM 2.4
In Additional Tasks I have the URL list setup. The Allow Mode is on.
For my zone pair (in-zone to out-zone) I have this URL filter being applied.
The problem is I do not have external websense servers; I want to use URL lists.
Now it seemst that you have to check
Enable URL Filtering on Application Security Tab, but that tab is not visible on my Configure-->Firewall and ACL screen.
It seems to me that this tab comes up when you set up firewall initially using Basic Firewall Wizard.
Rest of my configuration is working fine and so I do not want to muck around with it because if I run wizard again it will wipe out the current setup.
Can someone please tell me how to enable the URL filtering for Application Security using command line interface, or instead suggest how to make the APplication Security tab visible without rerunning Firewall setup.
If I am missing something else, please let me know. I hope CISCO fixes this section of the documentation because it does not mention why the APplication Security tab is not coming up.
08-12-2008 12:08 PM
I 2nd this question. Please could we have a response?
TIA
08-12-2008 12:24 PM
I am the original poster and I have not yet received a response even though I have tried other channels. I am still stuck and have not found anything with many hours of googling.
Will really appreciate a response, and it seems that I am not alone facing this issue.
08-12-2008 12:43 PM
I dont think you have looked into the complexity of this issue.
IMHO, you need the external server to do any meaningful url blocking...
see
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftwebsen.html
The local firewall filtering is more for url filtering by length, java, etc.
Also look into the newer trend micro solution that works with IOS routers. you can find out more information at
http://www.cisco.com/en/US/products/ps6643/index.html
-Joe
thanks,
Joe
08-12-2008 12:49 PM
I actually think there is a workaround to not having a server;
can you look into the sample config from the first link i sent, specifically the sample config from this section;
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftwebsen.html#wp1027265
I think if simply want to permit/deny specific domains you can do so with this command
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
Could you lab this up and post back to the group?
thanks,
Joe
08-12-2008 01:21 PM
Thanks for the barrage of replies (Can only help).
For my part, I have looked at the docs for doing this from within SDM v2.5 and from CLI. The SDM docs do specify that there should be an 'Application Security' tab, but this does not seem to exist in v 2.5 with the Zone-based firewall policy configuration that I am using.
So, I looked at he configuration that needs to be made from IOS and have applied that to my config (still no joy).
I also tuned on debugs and tried to visit both URLs that should have been filtered and URLs which should not have been filtered. The debugs showed nothing and no filtering was done.
My config has the following sections:
...
parameter-map type urlfilter BL_ProjectOffice
audit-trail on
allow-mode on
exclusive-domain deny .danger.com
...
class-map type inspect match-all sdm-protocol-http
match protocol http
...
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
urlfilter BL_ProjectOffice
class class-default
pass
...
This configuration follows the guidelines laid out in the Zone-based Firewall Design guide at (http://www.cisco.com/application/pdf/paws/98628/zone-design-guide.pdf) on pages 38 & 39.
So, I am stumped.
Any ideas?
08-12-2008 09:31 PM
first if u wanna block spesific web sites(domain name , URL)
u need to make a regular expretion
know as regex
in the link u have put just read how to implimit and match against regex
according to cisco ASA regex
if u wanna match website do the following
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"
just fine out it its the same with IOS firewall
but the idea 100% the same
so the follwoing link although for ASA firewall but the idea the same so i will inculded for u here to get the idea
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
and just be careful with ur matching
1 right regex
2 right class map matching
3 right inspection header rquest or respons
and if u want any more assistance just post here
good luck
Please, if helpful Rate
08-12-2008 09:43 PM
ur config should be somthing like:
parameter-map type regex url1
pattern [\.yahoo\.com]
class-map type inspect http urlclass1
match req-resp header regex url1
policy-map type inspect http policy1
class type inspect http urlclass1
reset
then apply the policy
above only example
u have more flexibality and i am not sure 100% from the regex pattren avove but should be like that to some extend
good luck
08-13-2008 04:48 AM
Thank you all for the replies and your patience.
I can use the SDM but do not have much proficiency with the command line policy setups. I tried the command line options and feel that it is beyond my capabilities. If there is no solution through the SDM then I would probably have to reconfigure the entire thing from scratch. The SDM is what made this router an easy choice for us. We are a small business and are using this router as an alternative to the common home office router in which URL blocking is fairly easy to do.
I think that the Application Security tab if enabled in the SDM will make all this functional. I wonder if there is someone from CISCO's product support team who can suggest if App Sec tab can be enabled inside the SDM interface once the firewall has been already configured.
I would suggest that someone(if someone at Cisco is browsing this) to make a note of this issue, because the fact that the application security tab only shows up through the wizard configuration process is something that is not mentioned anywhere and completely throws you off (as in my case where I was trying to mimic the previous router's settings to this zone policy environment and hence did not go through the wizard.)
08-13-2008 05:49 AM
Ciscopotion,
I agree wholheartedly and am looking for the same guidance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: