Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

URL Filtering WITHOUT Websense?

Hi folks. I am new to Cisco products and there are a few things I am

trying ot configure. I am running a 2821 Router with IOS v 12.4(10a).

I am trying to configure the URL filtering portion of the firewall ACL.

I have configured to deny one site, then I enable the filter and it

shuts down all internet sites. When I disable the URL filtering,

everything works fine again. This looks pretty cut and dry but

apparently it is not. I was also reading that I needed a websense

server to use this feature? Is that correct? Thanks.

22 REPLIES

Re: URL Filtering WITHOUT Websense?

Yes a proxy server is required.

New Member

Re: URL Filtering WITHOUT Websense?

Okay thanks. That is what I thought.

Re: URL Filtering WITHOUT Websense?

Hi,

hmmmm, i had a big long chorus written out for you explaining that local URL filtering would work and how to implement it, but i decided to just test it on my own 831, IOS12.3(8)T8 when i discovered that i have exactly the same issue as you. I have done this before for customers. Maybe it is a bug.

Might try it with an older IOS later, just to test it.

If anyone else has any ideas, i'd like to know too.

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Re: URL Filtering WITHOUT Websense?

Sorry I read it too fast, I thought it was a PIX. I never tried it with IOS.

New Member

Re: URL Filtering WITHOUT Websense?

Hi i have the same situation with a 2821 router with IOS Version 12.4(7c), i cant be donde without a websense server only to block specific url like www.hotmail.com ??

thanks

Juan Garcia

Cisco Employee

Re: URL Filtering WITHOUT Websense?

Hello,

You can use the IOS f/w URL filtering without using the Websense server.I would like to check the IOS configuration done on the router.

Please paste the router configuration.

HTH,

-amit singh

New Member

Re: URL Filtering WITHOUT Websense?

Hi folks. I didn't know this thread was still active but I did find the answer to my solution through a friend by using the urlfilter exclusive domain....etc. command. Thanks to everyoen for their help.

New Member

Re: URL Filtering WITHOUT Websense?

hello, can you post your solution to filter URLs please?

New Member

Re: URL Filtering WITHOUT Websense?

---- actually we have only the basics configured by SDM and some by CLI

ip name-server <>

ip name-server <>

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW http

ip ips sdf location flash://128MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

!

interface GigabitEthernet0/0

ip address 10.1.1.5 255.255.252.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0:1

ip address <>

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip ips sdm_ips_rule out

ip virtual-reassembly

ip route-cache flow

load-interval 30

no fair-queue

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:1

!

!

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 deny any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark Auto generated by SDM for NTP (123) 131.107.1.10

access-list 100 permit udp host 131.107.1.10 eq ntp host 10.1.1.5 eq ntp

access-list 100 remark Auto generated by SDM for NTP (123) 192.43.244.18

access-list 100 permit udp host 192.43.244.18 eq ntp host 10.1.1.5 eq ntp

access-list 100 deny ip <> any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host <>

access-list 101 permit tcp any host <>

access-list 101 permit udp any host <>

access-list 101 permit tcp any host <>

access-list 101 permit udp host <> eq domain host <>

access-list 101 permit udp host <> eq domain host <>

access-list 101 remark Auto generated by SDM for NTP (123) 131.107.1.10

access-list 101 permit udp host 131.107.1.10 eq ntp host <> eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) 192.43.244.18

access-list 101 permit udp host 192.43.244.18 eq ntp host <> eq ntp

access-list 101 deny ip 10.1.0.0 0.0.3.255 any

access-list 101 permit icmp any host <> echo-reply

access-list 101 permit icmp any host <> time-exceeded

access-list 101 permit icmp any host <> unreachable

access-list 101 permit tcp any host <> eq 443

access-list 101 permit tcp any host <> eq 22

access-list 101 permit tcp any host <> eq cmd

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

no cdp run

!

!

ntp clock-period 17180301

ntp update-calendar

ntp server 192.43.244.18 prefer

ntp server 131.107.1.10

!

end

---------------------------------------

i try the command

ip urlfilter exclusive-domain deny www.hotmail.com

(that was added by SDM using "url filter") but SDM blocked all pages.

thanks beforehand

Juan Manuel Garcia

New Member

Re: URL Filtering WITHOUT Websense?

i finally found out,

first i need to activate the command:

ip urlfilter allow-mode on

to inspect the url even without a websense server

and then the command:

ip urlfilter source-interface eth0/0

to apply the filtering i guess

and finally the commands:

ip urlfilter exclusive-domain deny .danger.com

the dot in the first indicates any webpage in that domain, and you just need to specify the deny?s than the permits because the allow-mode on command permit everything but the specified urls

thanks everybody for the posts

anyone know if theres a performance issue filtering url this way?

Juan Manuel Garcia Reyes

Re: URL Filtering WITHOUT Websense?

Hi Brider,

this is working configuration which i use in myu organization to block the google chat & meebo.com site. i am using this for the past 4 monthz without any problme on my Cisco 1751.

ip inspect alert-off

ip inspect name URL_FILTER http java-list 2 urlfilter

ip urlfilter allow-mode on

ip urlfilter cache 5

ip urlfilter exclusive-domain deny chatenabled.mail.google.com

ip urlfilter exclusive-domain deny .meebo.com

ip audit notify log

ip audit po max-events 100

!

!

!

!

interface FastEthernet0/0

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip inspect URL_FILTER in

speed auto

!

access-list 2 permit any

the above config will block the sites what i hav listed & rest all are allowed, bcoz "ip urlfilter allow-mode on" command is mentioned, if this is not mentioned, then it blocks the entire internet traffic. so make sure that ur issuing this command.

i hope this helps.

rate this post if satisfied.

New Member

Re: URL Filtering WITHOUT Websense?

Can you do this on an ASA 5505??

Re: URL Filtering WITHOUT Websense?

YES URL filtering can be configured even on ASA also.

New Member

Re: URL Filtering WITHOUT Websense?

How?

New Member

Re: URL Filtering WITHOUT Websense?

how can we do it on ASA5520?? as far as i have come to know.. we need a websense server for it..any comments ?

New Member

Re: URL Filtering WITHOUT Websense?

yea you can block particular web sites both using any url filtering server like websense or smarfilter both suppoterd on ASA platform or you can block statically using ACL for example for block hotmail.com

access-list acl-in remark Block hotmail.com

access-list acl-in extended deny tcp any 64.4.0.0 255.255.192.0 eq www log

access-list acl-in extended permit ip any any

i am not sure about subnet mask it will in CIDR format 64.4.0.0/18

this acl block whole hotmail.com on asa

regard

New Member

Re: URL Filtering WITHOUT Websense?

Hi,

Will this work on an 1811 router with zone based firewall currently in operation?

New Member

Re: URL Filtering WITHOUT Websense?

Where do you apply these commands? In global config mode? Within the access list? Any help is appreciated.

New Member

Re: URL Filtering WITHOUT Websense?

Kamran.Cisco,

Could you please post a running config where this is configured on an ASA and is working. I am new to the ASA line and need a little guidance. Thank you for your help.

Jason

New Member

Re: URL Filtering WITHOUT Websense?

access-list inside_access_out remark Block Hotmail.com

access-list inside_access_out extended deny tcp any 64.4.0.0 255.255.192.0 eq www log

access-list inside_access_out extended permit ip any any

access-group inside_access_out in interface inside

Typically, the Ethernet0/X port on your ASA that is on your PRIVATE network is called inside, or private, etc. Whatever you called it with the nameif syntax. You create an access list, apply it using the access-group command to your inside/private interface.

Make sure you have a 'permit ip any any' at the end, otherwise the explicit deny will block all other traffic not specifically permitted.

New Member

Re: URL Filtering WITHOUT Websense?

Got it. So basically this is just blocking the IP. Not actually blocking on the URL name. The remark line is just so you know what the next line of the ACL is blocking. Is there any way to do a re-direct based on a requested IP?

Jason

New Member

Re: URL Filtering WITHOUT Websense?

For the 2800 series integrated services routers, is there any way to add a custom error message in the form of an html?

868
Views
22
Helpful
22
Replies
CreatePlease login to create content