IOS Content filtering problem

Unanswered Question
Dec 18th, 2009
User Badges:

Hi,


I'm having trouble with ZFW and url filtering. If I set it up according to documentation it blocks every website, however if I remove the urlfilter from the policy, everything works.


Any ideas?


Here is my config:


parameter-map type urlfilter websense-parmap
exclusive-domain deny .aaaaa.xx
exclusive-domain deny .bbbbb.xx

exclusive-domain deny .ccccc.xx

exclusive-domain deny .ddddd.xx

exclusive-domain deny .eeeee.xx


class-map type inspect match-any SMTP_TRAFFIC
match protocol smtp
class-map type inspect match-any HTTP_TRAFFIC
match protocol http
class-map type inspect match-any class-router-to-outside
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-outside-to-router
match protocol isakmp
match protocol ipsec-msft
match access-group name PROT_ESP
class-map type inspect match-any class-inside-to-outside
match protocol https
match protocol ftp
match protocol imap
match protocol imaps
match protocol pop3
match protocol pop3s
match protocol pptp
match protocol dns
match protocol user-tcp-8005
match protocol user-tcp-21000
match protocol user-tcp-49600
match protocol ssh
match protocol ica
match protocol icmp
match protocol ntp
match protocol user-tcp-5910
match protocol user-tcp-4081
match protocol user-tcp-10010
match protocol user-tcp-2222
match protocol lotusnote
match protocol user-tcp-8080
match protocol user-tcp-1353
class-map type inspect match-any class-outside-to-inside
match protocol smtp
match protocol mysql
match protocol pptp
match protocol user-tcp-7711
match protocol user-tcp-5910
match protocol user-tcp-5911
match protocol user-tcp-4081
match protocol user-udp-5910
match protocol user-udp-5911
class-map type inspect match-any GRE_TRAFFIC
match access-group name PROT_GRE
class-map type inspect match-all SMTP_SERVER_TRAFFIC
match protocol smtp
match access-group 100


policy-map type inspect policy-router-to-outside
class type inspect class-router-to-outside
  inspect
class class-default
  pass
policy-map type inspect policy-outside-to-router
class type inspect class-outside-to-router
  pass
class class-default
  drop
policy-map type inspect policy-outside-to-inside
class type inspect GRE_TRAFFIC
  pass
class type inspect class-outside-to-inside
  inspect
class class-default
  drop
policy-map type inspect policy-inside-to-outside
class type inspect SMTP_SERVER_TRAFFIC
  inspect
class type inspect GRE_TRAFFIC
  pass
class type inspect class-inside-to-outside
  inspect
class type inspect HTTP_TRAFFIC
  inspect

  urlfilter websense-parmap
class class-default
  drop log
!
zone security inside
zone security outside
zone-pair security zp-outside-to-inside source outside destination inside
service-policy type inspect policy-outside-to-inside
zone-pair security zp-inside-to-outside source inside destination outside
service-policy type inspect policy-inside-to-outside
zone-pair security zp-router-to-outside source self destination outside
service-policy type inspect policy-router-to-outside
zone-pair security zp-outside-to-router source outside destination self
service-policy type inspect policy-outside-to-router


ip access-list extended PROT_ESP
permit esp any any
ip access-list extended PROT_GRE
permit gre any any


access-list 100 permit ip host 10.1.28.1 any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tgregorics Fri, 12/18/2009 - 05:21
User Badges:

Figured it out.


"allow-mode on" was missing from my parameter map.

Actions

This Discussion