Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how can i block web sites and specifc extensions???????

how can i block specific web sites ?

and how to block some specific extensions from being downloading ??????

15 REPLIES
bjw Silver
Silver

Re: how can i block web sites and specifc extensions???????

There's a bevvu of firewall products out there that can do that. ASA series in Cisco's case

New Member

Re: how can i block web sites and specifc extensions???????

i don't know how that's why i'm asking

i'm using router 827 and ios 12.2

is it helpful?

New Member

Re: how can i block web sites and specifc extensions???????

you need the firewall feature set. If you want to control what extensions are being downloaded (assuming you mean java applets for example) you need to use CBAC and that's a feature of the firewall feature set. You can also block specific URLs.

Assuming you can install the FW version try using SDM to configure the router.

Silver

Re: how can i block web sites and specifc extensions???????

Hi,

you can use NBAR to match the traffic to drop, then use a solution like ACL/PBR (best for performance) to deny/route to Null0.

See that for example:

http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml

HTH

Andrea

New Member

Re: how can i block web sites and specifc extensions???????

sorry i'm not expert to do that

can u give me an example

at least

how can i block rar extension

and block www.google.com

?

Re: how can i block web sites and specifc extensions???????

Hi,

The logic is that simple, i'll try to simplfy 2 methods, and you can use any of them, the first method is to match what you want via NBAR (match protocol), and then to police it.

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

interface fastehternet 0/0

service-policy input drop-http

policy-map drop-http

class http

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

The second method method is to mark the traffic on the ingress on the Ethernet port and then deny it on the egress at the serial port:

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-http

class http

set dscp 1

interface FastEthernet0/0

service-policy input mark-http

interface Serial1/0.1 point-to-point

ip access-group 101 in

ip access-group 101 out

access-list 103 deny ip any any dscp 1

access-list 103 permit ip any any

I hope that i've been informative, please never hesitate for further questions.

HTH, please do rate all helpful replies using the scroll box on the right,

Mohammed Mahmoud.

Silver

Re: how can i block web sites and specifc extensions???????

Just another example:

class-map match-any DropTraffic

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-DropTraffic

class DropTraffic

set dscp 1

interface FastEthernet0/0

service-policy input mark-DropTraffic

interface Serial1/0.1 point-to-point

ip policy route-map null_policy_route

route-map null_policy_route 10

match ip dscp 1

set interface Null0

HTH

Andrea

New Member

Re: how can i block web sites and specifc extensions???????

this is the result

hanymanyy(config-cmap)#match protocol http url "*www.google.com*"

^

% Invalid input detected at '^' marker.

it's wrong at http

i don't know the wrong

do u?

Re: how can i block web sites and specifc extensions???????

Hi,

Can you please try this, and past the output:

hanymanyy(config-cmap)#match protocol ?

or

hanymanyy(config-cmap)#match p?

BR,

Mohammed Mahmoud.

Re: how can i block web sites and specifc extensions???????

Hi,

Unfortunately according to Cisco Feature Navigator, NBAR is not supported on your Cisco 827, please check it out:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

HTH,

Mohammed Mahmoud.

Silver

Re: how can i block web sites and specifc extensions???????

yes correct, I've made a mistake, 8xx supports NBAR but not 827 :(

As David says, you could use a solution like that:

http://www.cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml

"Configuring Cisco IOS URL Filtering Using the Command-Line Interface (CLI)"

HTH

Andrea

New Member

Re: how can i block web sites and specifc extensions???????

sorry again

can u give me an example?

Silver

Re: how can i block web sites and specifc extensions???????

Hi,

what about using a web proxy like squid with a url filter like squidguard, dansguardian and so on?

http://www.squid-cache.org/Misc/related-software.dyn

Probably is the easy way for you.

HTH

Andrea

New Member

Re: how can i block web sites and specifc extensions???????

sorry again

is there any acl which deny downloading some specific files? with an example

and another acl to deny some specific site?

with no tools or devices

Re: how can i block web sites and specifc extensions???????

Hi Hany,

Unfortunately the answer is no, you need Cisco IOS URL Filtering or NBAR to filter specific websites or specific files, or use a web proxy as Andrea suggested, ACL can't do it.

HTH,

Mohammed Mahmoud.

222
Views
13
Helpful
15
Replies