bock some urls?

Answered Question
Jun 14th, 2010

Hello there,

we use some cisco 2811 router and I have to block some url sites.

Is it possible to do this with the cisco 2811 router - and how can I do it?

Thank you for your help!

Michael

I have this problem too.
0 votes
Correct Answer by Raphael Wouters about 6 years 5 months ago

I'm glad this worked

I'm afraid don't find the way to change the "blocked" page displayed with cbac, so I don't think it's possible... Maybe someone else on the forum can answer this for sure?

Have a nice day!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Raphael Wouters Mon, 06/14/2010 - 07:18

Hi Michael,

You can use Trend Micro or Websense database to do content filtering but if you just have only a few URL to bloc you could do by configuring URL locally. You can use the urlfiltering feature of both IOS firewalls: CBAC or ZBF, but it would be nice to have some firewall knowledge.

I just answered a similar thread couple of days ago but it's in french let me know if additional translation would be useful ;-) You can see in that thread the configuration example to use both firewalls to do  local URL filtering only (first with CBAC and second with ZBF):

https://supportforums.cisco.com/message/3118200#3118200

Here is config doc for CBAC:

http://cisco.biz/en/US/products/ps5855/products_configuration_example09186a0080ab4ddb.shtml

And here is for ZBF, this is a good doc found on this forum:

https://supportforums.cisco.com/docs/DOC-8028#_Configuration_with_Static_Filtering_

This is supported on 2800 but you may need to check IOS version and featureset, ZBF for example requieres 12.4.(20)T or later as mentioned in the above doc, I think CBAC urlfiltering is available way before this the doc mention it's working in "12.4" so I suppose this means it's available in 12.4 mainline.

Thanks!

Raphael

it-interschalt Mon, 06/14/2010 - 08:00

Hi Raphael,

is this the enough or the config?

R0>en
R0#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0(config)#ip inspect name TEST http urlfilter
R0(config)#ip urlfilter allow-mode on
R0(config)#ip urlfilter exclusive-domain deny www.denyme.com
R0(config)#ip urlfilter audit-trail
R0(config)#interface FastEthernet0/0
R0(config-if)#ip inspect TEST out
R0(config-if)#end
R0#

or do I have to change something more?

Because If I try to reache "www.denyme.com " I can access.

Thank's for you anwser

Michael

Raphael Wouters Mon, 06/14/2010 - 08:24

Hi Michael,

That should be enough yes.

Make sure to configure "ip inspect TEST out" on all outside interface (facing the WAN), by default all other interfaces will be considered as inside.

-OR- to configure  "ip inspect TEST in" on all the inside interfaces facing the LAN and by default all other interfaces will be considered as outside.

Then the connections from inside to outside should be reset for the denied URL.

What is fast 0/0 used for? Where are your WAN and LAN interfaces?

Thanks,

Raphael

it-interschalt Mon, 06/14/2010 - 23:47

Hi Raphael,

thank's for your Herp - I had use the wrong interface!

But if I activat the url filter - I'm not able to conect to extern Terminal Servern. - Do I have to activat something more?

thank's

Michael

Raphael Wouters Tue, 06/15/2010 - 00:57

Hi Michael,

The above configuration should only match HTTP sessions, and with "audit-trail" on you should see a log for each failure attempt.

How do you connect to your Terminal Server?

Can you check the logs and "show ip inspect session details" just after a failure attempt? You could add this to have more logs, but don't forget to remove it later as this can be very chatty:

ip inspect audit-trail

ip urlfilter audit-trail

The firewall should not inspect anything else than HTTP, all other incoming traffic should pass, and with "ip urlfilter allow-mode on" all the http traffic that doesn't match the exclusive-domain rule will pass.

So if you remove all the interface configuration "ip inspect TEST out" only you confirm it's working fine?

You can maybe post a sample of your config for the firewall, something like show run | i inspect|url|interface  ?

it-interschalt Tue, 06/15/2010 - 03:55

HI Raohael,

this is my original config (with show run | i inspect|url|interface)

---

show run | i inspect|url|interface
ip inspect name FW appfw FW
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 pop3
interface Null0
interface FastEthernet0/0
interface FastEthernet0/1
ip inspect sdm_ins_out_100 out
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface ATM0/2/0
interface ATM0/2/0.1 point-to-point
interface BRI0/2/0
interface ATM0/3/0
interface BRI0/3/0
interface Vlan1
interface Dialer1
ip nat inside source static tcp 192.168.16.2 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.16.2 47 interface FastEthernet0/1 47
ip nat inside source static udp 172.16.1.11 3101 interface FastEthernet0/1 3101
ip nat inside source static tcp 192.168.16.2 1701 interface FastEthernet0/1 1701
ip nat inside source static tcp 192.168.16.2 51 interface FastEthernet0/1 51
ip nat inside source static tcp 172.16.1.21 18080 interface FastEthernet0/1 18080
ip nat inside source static tcp 172.16.1.15 8001 interface FastEthernet0/1 8001
ip nat inside source static tcp 172.16.1.3 443 interface FastEthernet0/1 443
ip nat inside source static tcp 172.16.1.3 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.1.15 21 interface FastEthernet0/1 21
ip nat inside source static tcp 172.16.1.15 20 interface FastEthernet0/1 20
ip nat inside source static tcp 172.16.1.15 8002 interface FastEthernet0/1 8002
ip nat inside source static tcp 172.16.1.21 25 interface FastEthernet0/1 25
ip nat inside source static tcp 172.16.1.24 8080 interface FastEthernet0/1 8080
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
---

and I would insert the following settings

conf t
ip inspect name TEST http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.dom1.de
ip urlfilter exclusive-domain deny www.dom2.de
ip urlfilter exclusive-domain deny www.dom3.de
ip urlfilter exclusive-domain deny www.dom4.de
ip urlfilter exclusive-domain deny www.dom5.de
ip urlfilter exclusive-domain deny *.dom1.de               --> is ist possible to usew wildcards?
ip urlfilter exclusive-domain deny *.dom2.de
ip urlfilter exclusive-domain deny *.dom3.de
ip urlfilter audit-trail
interface FastEthernet0/1
ip inspect TEST out
end

Raphael Wouters Tue, 06/15/2010 - 08:19

Looks like you already have some firewall configured there: FW, sdm_ins_in_100 and sdm_ins_out_100.

Only interface FastEthernet0/1 has sdm_ins_out_100 configured, so the others are just not in use. If you add that config above, you remove the firewall sdm_ins_out_100 and configure TEST firewall only instead.

With that said I'm not sure what this breaks your remote session, but you probably have an ACL configured in FastEthernet0/1 that denies incoming traffic and since you don't inspect udp and tcp with TEST, you never open a whole to let the returning traffic crossing back your router and the packets are dropped in that ACL. So, in a short what you should have is integrate the urlfiltering to the already existing firewall:

ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 pop3
ip inspect name sdm_ins_out_100 http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.dom1.de ! Those three lines will be
ip urlfilter exclusive-domain deny www.dom2.de ! useless with the ones
ip urlfilter exclusive-domain deny www.dom3.de ! at the bottom
ip urlfilter exclusive-domain deny www.dom4.de
ip urlfilter exclusive-domain deny www.dom5.de
ip urlfilter exclusive-domain deny .dom1.de
ip urlfilter exclusive-domain deny .dom2.de
ip urlfilter exclusive-domain deny .dom3.de
ip urlfilter audit-trail    ! <------ if you want to see logs of connections made only
interface FastEthernet0/1
   ip inspect sdm_ins_out_100 out
That should allow the returning traffic in the (supposed configured) ACL on fast 0/1 for tcp, udp, ftp, http and pop3 - and that will reset the connection  and drop the outgoing packet if we try to access any www.domx.de.
And I don't know if you can use wildcards like *.dom1.de but I have seen config with just .dom1.de that should work instead.
it-interschalt Wed, 06/16/2010 - 00:20

Hi Raphael,

thank you very muuch for your Help - this work!

One Question again:

Is it possible to forward the blokes sites to a "access denied" side?

Michael

Correct Answer
Raphael Wouters Wed, 06/16/2010 - 01:10

I'm glad this worked

I'm afraid don't find the way to change the "blocked" page displayed with cbac, so I don't think it's possible... Maybe someone else on the forum can answer this for sure?

Have a nice day!

Actions

This Discussion