Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

URFILTER

I have configured a 1700 series router with IOS 12.3(1a) and Firewall Feature Set to filter url requests to a Websense server.

Command 'show version' returned:

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1710-K9O3SY-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 06-Jun-03 19:50 by dchih

Image text-base: 0x80008120, data-base: 0x80F0625C

ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)

******* uptime is 4 hours, 55 minutes

System returned to ROM by power-on

System restarted at 09:08:58 summer Thu Jul 17 2003

System image file is "flash:c1710-k9o3sy-mz.123-1a.bin"

cisco 1710 (MPC855T) processor (revision 0x200) with 55706K/9830K bytes of memory.

Processor board ID JAD06210391 (2582170859), with hardware revision 0000

MPC855T processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 Ethernet/IEEE 802.3 interface(s)

1 FastEthernet/IEEE 802.3 interface(s)

1 Virtual Private Network (VPN) Module(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Command 'show startup-config' returned:

Using 4804 out of 29688 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname ********

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 warnings

enable secret

username

memory-size iomem 15

clock timezone UTC 3

clock summer-time summer recurring

ip subnet-zero

no ip source-route

!

!

no ip domain lookup

!

no ip bootp server

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

ip inspect name test http java-list 51 urlfilter timeout 30

ip urlfilter allow-mode on

ip urlfilter cache 1000

ip urlfilter server vendor websense 172.16.100.10 timeout 30

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****************** address ******************

!

!

crypto ipsec transform-set ****************** esp-3des esp-md5-hmac

!

crypto map ****************** 1 ipsec-isakmp

set peer ******************

set security-association lifetime seconds 28800

set transform-set ******************

match address 100

!

!

!

!

interface Null0

no ip unreachables

!

interface Ethernet0

description $FW_OUTSIDE$

ip address ******************

ip access-group 104 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

half-duplex

no cdp enable

crypto map AG-Moscow

!

interface FastEthernet0

description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$

ip address 172.16.75.2 255.255.255.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect test in

ip route-cache flow

speed auto

no cdp enable

!

ip nat inside source route-map nonat interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ******************

ip http server

ip http authentication local

ip http secure-server

!

!

access-list 51 permit any

access-list 100 permit ip 172.16.75.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 101 deny ip 172.16.75.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 101 permit ip 172.16.75.0 0.0.0.255 any

access-list 102 permit tcp host ****************** any eq telnet

access-list 102 permit esp any any

access-list 102 permit udp any any eq isakmp

access-list 102 permit icmp any any

access-list 102 permit tcp 172.16.100.0 0.0.0.255 any eq telnet

access-list 102 permit tcp 172.16.100.0 0.0.0.255 any eq 5900

access-list 102 permit udp host 128.227.205.3 any eq ntp

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 deny ip****************** any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration

access-list 104 remark SDM_ACL Category=1

access-list 104 permit ahp host ****************** host ******************

access-list 104 permit esp host ****************** host******************

access-list 104 permit udp host ****************** host ****************** eq isakmp

access-list 104 permit udp host ****************** host ****************** eq non500-isakmp

access-list 104 permit ip 172.16.100.0 0.0.0.255 172.16.75.0 0.0.0.255

access-list 104 deny ip 172.16.75.0 0.0.0.255 any

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip host 0.0.0.0 any

access-list 104 deny ip any any log

no cdp run

!

route-map nonat permit 10

match ip address 101

!

!

line con 0

login local

line aux 0

login local

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17179653

ntp server 128.227.205.3

!

end

When I check the status of the url filtering by entering "sh ip urlfilter config", I get this,

Websense URL Filtering is DISABLED

Primary Websense server configurations

=========================================

Secondary Websense servers configurations

============================================

Websense server IP address: 172.16.100.10

Websense server port: 15868

Websense retransmission time out: 30 (in seconds)

Websense number of retransmission: 2

Other configurations

=====================

Allow Mode: ON

System Alert: ENABLED

Audit Trail: DISABLED

Log message on Websense server: DISABLED

Maximum number of cache entries: 1000

Maximum number of packet buffers: 200

Maximum outstanding requests: 1000

I cannot understand why Websense URL filtering is disabled.

Anyone help please?

1 REPLY
Silver

Re: URFILTER

The problem seems to be with applying the rule to the interface. You have applied the rules with the name 'test' (ip inspect test in which is not defined in your configuration. Please see the doc 'Firewall Websense URL Filtering' at

"http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a0080146556.html#1027188"

119
Views
0
Helpful
1
Replies
CreatePlease login to create content