You can use Trend Micro or Websense database to do content filtering but if you just have only a few URL to bloc you could do by configuring URL locally. You can use the urlfiltering feature of both IOS firewalls: CBAC or ZBF, but it would be nice to have some firewall knowledge.
I just answered a similar thread couple of days ago but it's in french let me know if additional translation would be useful ;-) You can see in that thread the configuration example to use both firewalls to do local URL filtering only (first with CBAC and second with ZBF):
Here is config doc for CBAC:
And here is for ZBF, this is a good doc found on this forum:
This is supported on 2800 but you may need to check IOS version and featureset, ZBF for example requieres 12.4.(20)T or later as mentioned in the above doc, I think CBAC urlfiltering is available way before this the doc mention it's working in "12.4" so I suppose this means it's available in 12.4 mainline.
is this the enough or the config?
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#ip inspect name TEST http urlfilter
R0(config)#ip urlfilter allow-mode on
R0(config)#ip urlfilter exclusive-domain deny www.denyme.com
R0(config)#ip urlfilter audit-trail
R0(config-if)#ip inspect TEST out
or do I have to change something more?
Because If I try to reache "www.denyme.com " I can access.
Thank's for you anwser
That should be enough yes.
Make sure to configure "ip inspect TEST out" on all outside interface (facing the WAN), by default all other interfaces will be considered as inside.
-OR- to configure "ip inspect TEST in" on all the inside interfaces facing the LAN and by default all other interfaces will be considered as outside.
Then the connections from inside to outside should be reset for the denied URL.
What is fast 0/0 used for? Where are your WAN and LAN interfaces?
thank's for your Herp - I had use the wrong interface!
But if I activat the url filter - I'm not able to conect to extern Terminal Servern. - Do I have to activat something more?
The above configuration should only match HTTP sessions, and with "audit-trail" on you should see a log for each failure attempt.
How do you connect to your Terminal Server?
Can you check the logs and "show ip inspect session details" just after a failure attempt? You could add this to have more logs, but don't forget to remove it later as this can be very chatty:
ip inspect audit-trail
ip urlfilter audit-trail
The firewall should not inspect anything else than HTTP, all other incoming traffic should pass, and with "ip urlfilter allow-mode on" all the http traffic that doesn't match the exclusive-domain rule will pass.
So if you remove all the interface configuration "ip inspect TEST out" only you confirm it's working fine?
You can maybe post a sample of your config for the firewall, something like show run | i inspect|url|interface ?
this is my original config (with show run | i inspect|url|interface)
show run | i inspect|url|interface
ip inspect name FW appfw FW
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 pop3
ip inspect sdm_ins_out_100 out
interface ATM0/2/0.1 point-to-point
ip nat inside source static tcp 192.168.16.2 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.16.2 47 interface FastEthernet0/1 47
ip nat inside source static udp 172.16.1.11 3101 interface FastEthernet0/1 3101
ip nat inside source static tcp 192.168.16.2 1701 interface FastEthernet0/1 1701
ip nat inside source static tcp 192.168.16.2 51 interface FastEthernet0/1 51
ip nat inside source static tcp 172.16.1.21 18080 interface FastEthernet0/1 18080
ip nat inside source static tcp 172.16.1.15 8001 interface FastEthernet0/1 8001
ip nat inside source static tcp 172.16.1.3 443 interface FastEthernet0/1 443
ip nat inside source static tcp 172.16.1.3 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.1.15 21 interface FastEthernet0/1 21
ip nat inside source static tcp 172.16.1.15 20 interface FastEthernet0/1 20
ip nat inside source static tcp 172.16.1.15 8002 interface FastEthernet0/1 8002
ip nat inside source static tcp 172.16.1.21 25 interface FastEthernet0/1 25
ip nat inside source static tcp 172.16.1.24 8080 interface FastEthernet0/1 8080
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
and I would insert the following settings
ip inspect name TEST http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.dom1.de
ip urlfilter exclusive-domain deny www.dom2.de
ip urlfilter exclusive-domain deny www.dom3.de
ip urlfilter exclusive-domain deny www.dom4.de
ip urlfilter exclusive-domain deny www.dom5.de
ip urlfilter exclusive-domain deny *.dom1.de --> is ist possible to usew wildcards?
ip urlfilter exclusive-domain deny *.dom2.de
ip urlfilter exclusive-domain deny *.dom3.de
ip urlfilter audit-trail
ip inspect TEST out
Looks like you already have some firewall configured there: FW, sdm_ins_in_100 and sdm_ins_out_100.
Only interface FastEthernet0/1 has sdm_ins_out_100 configured, so the others are just not in use. If you add that config above, you remove the firewall sdm_ins_out_100 and configure TEST firewall only instead.
With that said I'm not sure what this breaks your remote session, but you probably have an ACL configured in FastEthernet0/1 that denies incoming traffic and since you don't inspect udp and tcp with TEST, you never open a whole to let the returning traffic crossing back your router and the packets are dropped in that ACL. So, in a short what you should have is integrate the urlfiltering to the already existing firewall:
thank you very muuch for your Help - this work!
One Question again:
Is it possible to forward the blokes sites to a "access denied" side?