03-10-2009 06:37 AM - edited 03-06-2019 04:30 AM
All,
I don't think this is possible without extra equipment/software, but I wanted to ask.
Is there a way that I can create a time-based ACL and apply that policy-map to the ACL (or vice-versa)?
What I want to do is restrict flash applications between 5 - 7:30PM. I know that I can restrict URLs through a class-map, so I thought I would be able to restrict *.flv and *.swf between that time. Is there a way to do it?
I have either an 871W or an ASA that I can do this on. (The ASA is behind the 871W.)
Thanks,
John
03-12-2009 06:43 AM
Gonna need to see your config mate, also what URL are you testing with so I can try to replicate?
03-12-2009 06:57 AM
Here's the config for the class-map, policy-map, and all of the interfaces:
class-map match-all NO_FLASH
match access-group 151
match protocol http mime "application/x-shockwave-flash"
policy-map OUTBOUND
class ROKU-OUTBOUND
priority percent 25
class NO_FLASH
drop
class class-default
fair-queue 256
interface FastEthernet0
description Router Trunk
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
duplex full
speed 100
!
interface FastEthernet3
duplex full
speed 100
!
interface FastEthernet4
bandwidth 6144
ip address dhcp client-id FastEthernet4
ip access-group EXTERNAL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect NEMESIS-FW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
service-policy output OUTBOUND
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
encryption vlan 1 mode ciphers tkip
!
ssid ISIS
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
infrastructure-client
ip nbar protocol-discovery
!
interface Dot11Radio0.1
description Normal WIFI
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description DMZ$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
service-policy input ROKU
interface BVI1
description Internal Interface$ES_LAN$$FW_INSIDE$
ip address 10.20.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
hold-queue 100 out
!
access-list 151 permit ip 10.20.1.0 0.0.0.255 any
I was trying both youtube.com and addictinggames.com. I need to be able to block any online game or video anywhere, not just these two sites.
Thanks for looking at this Adam!
John
03-13-2009 04:01 AM
I've been playing around with this for a while this morning, and I can't get it to work. Does it have something to do with NAT?
03-13-2009 04:05 AM
Ah Highly possible. Is your ACL matching the post or pre NAT address and have you tried it without the ACL ?
03-13-2009 04:17 AM
Okay,
It does start to match the traffic with the acl removed. I can still get to youtube, but addictinggames.com stopped working (which is what I want). I couldn't get it to work with the mime type under match protocol, but I got it to work with the url *.swf|*.flv|*.js.
How would I be able to get this to work using NAT?
03-13-2009 04:37 AM
I can't get it to match the mime type though.
I pulled this from youtube's "embed this link on your site" code:
The mime type that I have set on the match protocol is application/x-shockwave-flash, but I'm not seeing hits on it.
John
03-13-2009 04:39 AM
At least we have progress.
Lets focus on the ACL first. Are you matching on the pre or post NAT, put both in the ACL and see which gets the hit, it should be the post NAT address
03-13-2009 06:28 AM
Okay,
Yes it matches my external address of 99.x.x.x, and it doesn't match the internal address.
Even though it was matching on it, I could still get to youtube. My match statement was like:
match protocol http url *youtube.com*
I also tried:
*.youtube.com
*youtube.com
Nothing I tried will block the traffic. I know that I'm missing something because I've seen too many documents that verify this is configured correctly.
John
03-13-2009 06:43 AM
Hi mate
So you setup is similar to this :-
class-map match-any test
match protocol http url "*youtube.com"
match protocol http url "*youtube.com*"
!
!
policy-map test
class test
drop
Can you post the out of :-
sh policy-map interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide