Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HOW to block websites

Dear  all,

I am using 1841 router(Version 12.4(13r)T) and configured as a ZBF as follwos,as you all have told me.My idea is to block unwanted sites like facebook.This router is not yet connected.

Current configuration : 1076 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
parameter-map type regex DENY_SITES
pattern .*facebook.com

!
!
!
!
archive
log config
  hidekeys
!
!
!
!
!
class-map type inspect http match-all CLASS_DENY_SITES
match  request header host regex DENY_SITES
!
!
policy-map type inspect http POLICY_DENY_SITES
class type inspect http CLASS_DENY_SITES
  reset
class class-default
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
!
!
!
interface FastEthernet0/0
no ip address
zone-member security INSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
zone-member security OUTSIDE
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!

But when I try to apply policy on zoon-pair,I am getting the following error.

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Why it is not allow to apply policies.Pls help me at your earliest....

Thank you

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: HOW to block websites

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match  request header host regex DENY_SITES

!

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

  reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES


zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: HOW to block websites

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

HOW to block websites

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched  to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
15 REPLIES

HOW to block websites

Hello,

As already answer you personally the problem is you are attaching a L7 policy to the service-policy.

Only L4 policies are supported on the service-policy.

What to do :

Create a L4 policy, set the L7 into that L4 and then attached the L4 into the service-policy

Regards,

Jcarvaja

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Highly appriciate your answer...thank you very much...

You mean ZBFW doesn't support L7 policies???

Could yu kindly show me how to do this...very sorry for my poor undersatnding...

Thanks

Re: HOW to block websites

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match  request header host regex DENY_SITES

!

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

  reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES


zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Hi,

Thank you very much for the reply.

I have done the configuration as you have instructed.But I am still getting the same message.

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Should it be as follows????

Router(config-sec-zone-pair)#service-policy type inspect HTTP_123 ???????

Re: HOW to block websites

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Thank you verymuch for your help.I will apply this in the production env and check.Hope i can block unwanted sites in same manner.So I appriciate your quick response and rated....

Have good day

HOW to block websites

Hello,

It is a pleasure to help,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Hi,

I have tried to block facebook today in the same way i have mentioned above .But didn't workout.That means regex  method doesn't work???Can you give me anyother method??

Thanks

HOW to block websites

Hello,

Is the traffic going via HTTP or HTTPS, cause remember HTTPs cannot be blocked with this method as traffic goes encrypted.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

HI,

Tried http trffick aslo,but didn't work.What is the other method you can recomend me?acces-list??

(ZBFW-inside inteface connected to the TMG server.outside--ISP,can't block frm the TMG atleast??)

Thanks

HOW to block websites

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched  to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Yes you are correct...this is switching to https..

But my question is I just tried to block yahoo.com in this manner..didn't work.

You mean if it is https...we can't block  using even ASA????

HOW to block websites

Hello,

No, it will not work because we are matching the header host value on the packet and with HTTPs that goes encrypted and the device will not be able to understand it.

Now with an ASA I have match the DNS requests looking for facebook.com so I block the DNS request, with no Resolution I will not be able to go to facebook unless I know the IP address which is highly unlekilly but at sometime it could happen.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

HOW to block websites

Thx Julio....

So colclusion is ..if it is https...it is not able to block from ZBFW??But if it is http..can block in the above manner??

Pls corret me if I am wrong..

Thanks

HOW to block websites

Hello,

You got it

If you try to match an HTTP header host then you will block the traffic only if you are able to see what it says on that field

Http yes, u should

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
293
Views
0
Helpful
15
Replies
CreatePlease login to create content