Solved: HOW to block websites

WEERAKOO69BA · ‎10-25-2013

Dear all,

I am using 1841 router(Version 12.4(13r)T) and configured as a ZBF as follwos,as you all have told me.My idea is to block unwanted sites like facebook.This router is not yet connected.

Current configuration : 1076 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
parameter-map type regex DENY_SITES
pattern .*facebook.com

!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
class-map type inspect http match-all CLASS_DENY_SITES
match request header host regex DENY_SITES
!
!
policy-map type inspect http POLICY_DENY_SITES
class type inspect http CLASS_DENY_SITES
reset
class class-default
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
!
!
!
interface FastEthernet0/0
no ip address
zone-member security INSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
zone-member security OUTSIDE
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!

But when I try to apply policy on zoon-pair,I am getting the following error.

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Why it is not allow to apply policies.Pls help me at your earliest....

Thank you

Julio Carvajal · ‎10-25-2013

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match request header host regex DENY_SITES

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-25-2013

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-27-2013

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-25-2013

Hello,

As already answer you personally the problem is you are attaching a L7 policy to the service-policy.

Only L4 policies are supported on the service-policy.

What to do :

Create a L4 policy, set the L7 into that L4 and then attached the L4 into the service-policy

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-25-2013

Highly appriciate your answer...thank you very much...

You mean ZBFW doesn't support L7 policies???

Could yu kindly show me how to do this...very sorry for my poor undersatnding...

Thanks

Julio Carvajal · ‎10-25-2013

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match request header host regex DENY_SITES

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-25-2013

Hi,

Thank you very much for the reply.

I have done the configuration as you have instructed.But I am still getting the same message.

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Should it be as follows????

Router(config-sec-zone-pair)#service-policy type inspect HTTP_123 ???????

Julio Carvajal · ‎10-25-2013

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-26-2013

Thank you verymuch for your help.I will apply this in the production env and check.Hope i can block unwanted sites in same manner.So I appriciate your quick response and rated....

Have good day

Julio Carvajal · ‎10-26-2013

Hello,

It is a pleasure to help,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-27-2013

Hi,

I have tried to block facebook today in the same way i have mentioned above .But didn't workout.That means regex method doesn't work???Can you give me anyother method??

Thanks

Julio Carvajal · ‎10-27-2013

Hello,

Is the traffic going via HTTP or HTTPS, cause remember HTTPs cannot be blocked with this method as traffic goes encrypted.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-27-2013

HI,

Tried http trffick aslo,but didn't work.What is the other method you can recomend me?acces-list??

(ZBFW-inside inteface connected to the TMG server.outside--ISP,can't block frm the TMG atleast??)

Thanks

Julio Carvajal · ‎10-27-2013

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-27-2013

Yes you are correct...this is switching to https..

But my question is I just tried to block yahoo.com in this manner..didn't work.

You mean if it is https...we can't block using even ASA????

Julio Carvajal · ‎10-27-2013

Hello,

No, it will not work because we are matching the header host value on the packet and with HTTPs that goes encrypted and the device will not be able to understand it.

Now with an ASA I have match the DNS requests looking for facebook.com so I block the DNS request, with no Resolution I will not be able to go to facebook unless I know the IP address which is highly unlekilly but at sometime it could happen.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎10-27-2013

Thx Julio....

So colclusion is ..if it is https...it is not able to block from ZBFW??But if it is http..can block in the above manner??

Pls corret me if I am wrong..

Thanks