04-10-2012 02:45 AM - edited 03-07-2019 06:02 AM
Hi all,
I would like to configure few routings on my Cisco router 871 in order to allow my employees to have access only to specific websites.
However, since some websites have dynamic IPs propably the route that I will create will not work.
My question is, can I configure a route or is there any other way to configure this permission based on the hostname/domain?
For example, if I want to permit access to this website www.surveymonkey.com (75.98.93.51) instead of configuring:
ip route 75.98.93.51 255.255.255.255 192.168.10.250
is there any way to configure based on the (www.surveymonkey.com) in order to be able to recognise this host correctly??
Really appreciate any answer,
Thank you for your time,
Regards,
Leon
04-10-2012 08:30 AM
Hii leonnikolaou
Well, I don’t know your network design whether you are using internal DNS or web proxy server or not.
However, From technical point of view I have an idea to partially automat it through the use of IP SLA and EEM
(the SITE IP address changes --> IP SLA fails --> you are notified with mail and through Syslog that the site is down --> you manually change the route)
Create IP SLA to monitor http access to the site:
=====================================
ip sla 10
http get http://75.98.93.51
frequency 300
ip sla schedule 10 start-time now life forever
configure tracking referencing the IP SLA:
===============================
track 1 ip sla 1 reachability
configure EEM to send mail to some@a7a.com and to generate Syslog message the IP SLA:
=====================================================================
event manager applet a7a
event track 1 state down
action 1.0 mail server "88.88.88.88" to "some@a7a.com" from "example@a7a.com" subject "surveymonkey site is down" body "anything"
action 2.0 syslog msg "surveymonkey site is down"
Finally if you know EEM Scripting then you can fully automate it:
(the SITE IP address changes --> IP SLA fails --> perform ping www.surveymonkey.com --> from output you retrieve the new IP address (programming script) --> delete old route --> add new route (programming script) --> optional you could notify you self as well
First configure you router for DNS:
==========================
ip name-server 192.168.1.100
ip domain lookup
IPSLA and Track are the same
event manager applet a7a
event track 1 state down
action 1.0 cli command "ping www.surveymonkey.com "
*******************some script command should be here to get the new IP address***************************
action 2.0 cli command "no ip route 75.98.93.51 255.255.255.255 192.168.10.250"
action 3.0 cli command " ip route <
action 4.0 mail server "88.88.88.88" to "some@a7a.com" from "example@a7a.com" subject " surveymonkey site IP changed" body "anything"
action 5.0 syslog msg "surveymonkey site IP changed"
Hint : sample ping www.surveymonkey.com would be :
========================================
Translating "www.cisco.com"...domain server (192.168.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 224/228/236 ms
The IP address here is 198.133.219.25
I Hope this helps
04-10-2012 08:31 AM
IP routes can only look at the IP Header in a given packet.
You would need some Application Layer device such as a proxy or a product like WebSense.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide