Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

windows update ACL

Has anyone found a solution to creating a working outbound ACL to limit HTTP access to: http://windowsupdate.microsoft.com? It seems like this site changes IP so often, my ACL is no good after a few days. Our policy requires we implement outbound connection limitations, like ACLs. Any solutions around this? Thanks.

4 REPLIES

Re: windows update ACL

Hi .. if you require more granularity for Internet access then I suugest to use a proxy server such as Microsoft ISA. You can then specify access based on URL .. etc

I hope it help .. please rate it if it does !!!

New Member

Re: windows update ACL

Actually I already have an ISA server. It's possible, but very slow. I was hoping to find an alternate solution on a router or PIX platform. Thanks though.

Silver

Re: windows update ACL

Hi,

If you have a router in between you can use NBAR and a service policy to match the URL and then set the action to drop.

int XXX

ip nbar protocol-discovery

!

class-map match-any windowsupdate

match protocol http url "windowsupdate.microsoft.com"

!

policy-map internet-out

class windowsupdate

drop

!

int XXX

service-policy output internet-out

You can use * as a wildcard in the URL. Bear in mind NBAR has performance impact.

I think you may be able to match URL's in service policy's in Pix 7.X as well? (havent looked into that one as yet though)

Cheers,

Tim.

New Member

Re: windows update ACL

This looks promising, I'll try it out. Our PIX is still on 6.x not exactly ready for an upgrade yet. I'll see what I can do with NBAR. Thanks.

152
Views
4
Helpful
4
Replies