01-09-2007 11:31 PM - edited 03-09-2019 05:11 PM
my lan office connected to internet through:
LAN---PIX----(Ethernet)Router(Serial)---Internet
My Router config is (X,Y,Z,W are all Real IP) :
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no aaa new-model
ip subnet-zero
ip cef
ip domain name my.dom
ip name-server X1.Y1.Z.W1
ip name-server X2.Y2.Z2.W2
ip ips po max-events 100
no ftp-server write-enable
!
!
interface Serial0/0
ip address X.X.X.X 255.255.255.252
!
interface FastEthernet0/1
ip address Y.Y.Y.Y 255.255.255.240
ip access-group IDS_FastEthernet0/1_out_0 out
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.Z
!
!
ip http server
no ip http secure-server
!
ip access-list extended IDS_FastEthernet0/1_out_0
permit ip host 10.6.100.250 any
permit ip any any
I want to apply URL filtering on my router, I am thinking to apply the following
to my router, would be that correct or am I far away off?
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*admin.dll*"
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
interface serial 0/0
service-policy input mark-inbound-http-hacks
access-list 105 deny ip any any dscp 1
access-list 105 permit ip any any
interface ethernet 0/1
ip access-group 105 out
01-10-2007 06:56 AM
Hi,
The config you have in mind is good enough to filter out the mentioned url.
This should work well.
Regards,
Vivek
01-11-2007 04:37 AM
if i want to block youtube or video streaming through my,how would you do that?
or give him less priority....
01-11-2007 09:37 AM
In a class-map add :-
match protocol http url "*youtube.com*"
Now you can either drop it using a policy map as in the previous config or police the rate in the policy-map and apply it to the interface.
01-13-2007 03:14 AM
I am thinking to configure cisco nbar on my Internet Router 37xx
on the mean time I am aware that 90% of the traffic from Internet to
my LAN beside iprouting is HTTP and as you know alot of other protocol are embedded into http.
now my goal is not to block streaming and p2p but
but to limit the rate on bandwidth usage for those protocols example( ftp, youtube, yahoo media, internet music radio, p2p, torrent, Edonkey, Skype, Gnutella, Skype, Winmx, Kazaa, emule Napster ..etc)
any sample configuration could do that for me.
01-15-2007 04:56 AM
Hi,
This should help :-
class-map match-any webt
match protocol http url "*youtube.com*"
policy-map test
class webt
police rate percent 10
conform-action transmit
exceed-action drop
interface fa0/1
service-policy input test
The police option can be changed as needed. Also more url to match can be added to the class map defined.
01-15-2007 11:04 PM
>interface fa0/1
>service-policy input test
should not be on the serial interface.
01-16-2007 04:43 AM
that was just an example.
Where you apply depends on your network. If your traffic is coming into through a serial interface then you would apply it there.
01-17-2007 05:02 AM
Flr1-Router-internet(config-if)#service-policy input mark-http-limits
Policy map mark-inbound-http-hacks is already attached
why I cant add another service policy to the interface, and how can i resolve this issue regarding my above configuration.
01-18-2007 04:00 AM
There can only be one policy in each direction per interface.
You will have to modify your exisiting policy as per requirement (like with access-lists)
01-18-2007 05:37 AM
can you tell me how should it looks regarding my config
my lan office connected to internet through:
LAN---PIX----(Ethernet)Router(Serial)---Internet
My Router config is (X,Y,Z,W are all Real IP) :
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no aaa new-model
ip subnet-zero
ip cef
ip domain name my.dom
ip name-server X1.Y1.Z.W1
ip name-server X2.Y2.Z2.W2
ip ips po max-events 100
no ftp-server write-enable
!
!
interface Serial0/0
ip address X.X.X.X 255.255.255.252
!
interface FastEthernet0/1
ip address Y.Y.Y.Y 255.255.255.240
ip access-group IDS_FastEthernet0/1_out_0 out
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.Z
!
!
ip http server
no ip http secure-server
!
ip access-list extended IDS_FastEthernet0/1_out_0
permit ip host 10.6.100.250 any
permit ip any any
I want to apply URL filtering on my router, I am thinking to apply the following
to my router, would be that correct or am I far away off?
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*admin.dll*"
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
interface serial 0/0
service-policy input mark-inbound-http-hacks
access-list 105 deny ip any any dscp 1
access-list 105 permit ip any any
interface ethernet 0/1
ip access-group 105 out
01-19-2007 03:47 AM
Its perfect.
Will work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: