URL blocking

Unanswered Question
May 31st, 2010

Hi,

I have an UC540 and i would like to block severals URL like "yahoo.fr" for example.

What is the procedure ?

I think its a modification of ACL...but I don't know how configure it.

Sincerly,

Romain

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Trad Mon, 05/31/2010 - 03:55

Hi Final,

I could be off the beaten track here, would this be of any use to you?


ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
!
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on

This was put on for one client but I plagiarized this from another configuration I found else where, I do believe you can also block things via the ACL's as well, but I have never been asked to do that so I haven't bothered to learn how to do it I'm kinda lazy with things like that, if I have no need for it, I don't bother learning it LOL

Hope it helps you

Cheers,

David.

final-reseaux Mon, 05/31/2010 - 06:25

This configuration of the fw is by default when we choose the medium level in CCA, but I think it's more for instant messaging application than an url for a website.

My client wants to block several website and maybe live messenger.

Anybody has another idea ?

Thx,

Romain

David Trad Tue, 06/01/2010 - 23:20

Hi Romain,

I am unaware of any Cisco device that can block URL's I am not sure either if Iron Port can do it as I am still educating myself in the various models.

If you have an ISA server there (Never used or and do not plan too), then you could use this as it will also support Dynamic DNS, however on the IOS you will need to block the IP address, and this is not always useful as IP's can change to any particular URL at any time.

For now you might have to manually manage this by blocking the IP address.

Cheers,

David.

MICHAEL JOHNSON Tue, 06/01/2010 - 23:53

Since Websense integrates with Cisco, I've provided some of the common Websense configuration examples. Since we always use Websense for our web filtering client needs, I cannot tell you if it will work without the backend Websense.

ip inspect name SDM_LOW http java-list 51 urlfilter alert on timeout 60

ip urlfilter allow-mode on
ip urlfilter cache 500
ip urlfilter exclusive-domain deny .yahoo.fr

ip urlfilter server vendor websense ###.###.###.### retrans 6 timeout 10

access-list 51 permit any

This is something you should test. The "ip urlfilter allow-mode on" command allows the client devices to continue browsing even if Websense is not responsive (or not present). I am just NOT sure if the allow-mode command will bypass the "ip urlfilter exclusive-domain deny " command when a websense server is not present.

You also have to have a valid domain name lookup server defined on the router/UC and ip domain lookup enabled.

If you have time to test this, could you let us know if it works without a Websense server?

You might also want to try removing the "ip urlfilter server vendor websense ###.###.###.### retrans 6 timeout 10" command to see if the config will work at all.

David Trad Wed, 06/02/2010 - 00:30

Hi Michael,

If I get the chance to I will be more then happy and willing to do some testing for you, I need to finalize a couple of deployments first before I can venture into lab mode and do some testing. Sadly I have neglected some other work of late to do some re-educating and familiarization of new products/services, I need to get back on track.

I guess a big thanks to Dave Harper for lending me his eyes and making himself available to respond back to my e-mails it certainly helps with being able to move on when you get stuck.

I will keep you posted on when I do and how it goes.

Cheers,

David.

Actions

This Discussion