Solved: class-map match-any not working !!!

fritz001a · ‎02-28-2012

class-map match-any ONLINE_MOVIES

match protocol http host "www.moviesonline.ca"

match protocol http host "www.bestmovies.cc"

match access-group 190

policy-map DROP_ONLINE_MOVIES

class ONLINE_MOVIES

drop

access-list 190 permit tcp host 192.168.40.5 any eq www

interface FastEthernet0/0

description _WAN_INTERFACE_

service-policy output DROP_ONLINE_MOVIES

however all class 192.168.40.0 /24 is banned !!

Am I missing something ?

cadet alain · ‎02-28-2012

Hi,

cool

Don't forget to rate helpful posts and mark the thread as solved.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎02-28-2012

Hi,

so you want to deny this host to browse these 2 sites? if so then you can do this:

class-map match-any URLS

match protocol http host "www.moviesonline.ca"

match protocol http host "www.bestmovies.cc"

class-map ONLINE_MOVIES

match class-map URLS

match access-group 190

Regards.

Alain

Don't forget to rate helpful posts.

fritz001a · ‎02-28-2012

class-map match-any URLS

match protocol http host "*moviesonline.ca"

match protocol http host "*bestmovies.cc"

class-map match-all ONLINE_MOVIES

match class-map URLS

match access-group 190

policy-map DROP_ONLINE_MOVIES

class ONLINE_MOVIES

drop

interface Fa0/0

description _WAN_INTERFACE_

service-policy output DROP_ONLINE_MOVIES

access-list 190 permit tcp host 192.168.40.5 any eq www

access-list 190 permit tcp host 192.168.40.203 any eq www

so... the policy doesn't seems to apply at all , i mean both IPs are able to browse the banned urls ...

Joseph W. Doherty · ‎02-28-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

access-list 190 permit tcp host 192.168.40.5 any eq www
however all class 192.168.40.0 /24 is banned !!

Could you clarify "all"? The ACL should only block all destination port 80 traffic from 192.168.40.5.

Perhaps Alain has guessed what you intended? If not, could you clarify what you want to accomplish?

PS:

To clarify part of Alain's posting:

class-map match-all ONLINE_MOVIES

match class-map URLS

match access-group 190

fritz001a · ‎02-28-2012

When I was refering to "all" I mean: 192.168.40.0/24 can not access those urls.

yes, the idea is to block access to those URLS only to specific _LAN hosts

Regarding my previous answer::

so i have to "translate" the policy as follow:

1.class urls

if any of url ==>MATCH

2.class online_movies

if any of urls AND IP1=192.168.40.5 AND IP2=192.168.40.203

or

if any of urls AND IP1=192.168.40.5 OR IP2=192.168.40.203

Kishore Chennupati · ‎02-28-2012

hi Florin,

can you please post the results of "sh policy-map interface fa0/0" here so that we can take a look

Rgds, Kishore

cadet alain · ‎02-28-2012

Hi,

this one:

if any of urls AND (IP1=192.168.40.5 OR IP2=192.168.40.203)

Regards.

Alain.

Don't forget to rate helpful posts.

fritz001a · ‎02-28-2012

Core_R1#sh policy-map interface fa0/0

FastEthernet0/0

Service-policy output: DROP_ONLINE_MOVIES

Class-map: ONLINE_MOVIES (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: class-map match-any URLS

Match: protocol http host "www.moviesonline.ca"

144 packets, 13264 bytes

5 minute rate 0 bps

Match: protocol http host "www.bestmovies.cc"

0 packets, 0 bytes

5 minute rate 0 bps

Match: access-group 190

drop

and the full config of fa0/0

interface FastEthernet0/0

description _WAN_INTERFACE_

mac-address _MAC_

ip address _IP_

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

service-policy output DROP_ONLINE_MOVIES

ammahend · ‎02-28-2012

Paste the following ouputs

show policy-map int f0/0

show run int f0/0

show ip int br | ex un

sh ver | in image

Let me know if there is any tunnel or vpn session going on f0/0 interface , as it will hide your orignial ip header info .

Let me know the physical layout from host to router .

-hope this helps-

fritz001a · ‎02-28-2012

I do have an OPENVPN server running behind the router on host 192.168.40.222

Core_R1#sh ver | in image

System image file is "flash:c2600-advipservicesk9-mz.124-25d.bin"

Core_R1#show run int f0/0

Building configuration...

Current configuration : 304 bytes

!

interface FastEthernet0/0

description _WAN_INTERFACE_

mac-address ____

ip address _____

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

service-policy output DROP_ONLINE_MOVIES

end

Core_R1#show ip int br | ex un

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 _IP_ YES NVRAM up up

FastEthernet0/1 _LAN_IP_ YES NVRAM up up

NETWORK LAYOUT::

HOSTS-->Cisco 2950-->CISCO 2651XM

cadet alain · ‎02-28-2012

Hi,

Can you try applying this policy inbound on the nat inside interface.

Regards.

Alain

Don't forget to rate helpful posts.

fritz001a · ‎02-28-2012

interface FastEthernet0/1

description _LAN_INTERFACE_

service-policy input DROP_ONLINE_MOVIES

end

damn, it's working now

cadet alain · ‎02-28-2012

Hi,

cool

Don't forget to rate helpful posts and mark the thread as solved.

Regards.

Alain.

Don't forget to rate helpful posts.

Ivan Salazar · ‎05-31-2012

hello , i have this problem , i want to block some urls

this is my config , is only a example

class-map match-any URL

match protocol http host "www.taringa.net"

match access-group 190

!

policy-map DROP_TARINGA

class URL

drop

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.248

ip accounting output-packets

ip accounting precedence output

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map outside0_map

service-policy output DROP_TARINGA

this config, block all LAN ips , iths WORKING, but i want to allow some ips witout block this urls...

for example i want to permit the ips 184.1.150.100 - 110 to this url , but block all the subnet,

this is my access-list

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 200.36.125.129

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

ip route 184.1.2.0 255.255.255.0 200.36.125.129

!

ip access-list extended testcrypto

permit ip 184.1.150.0 0.0.0.255 128.1.0.0 0.0.255.255

permit ip 184.1.150.0 0.0.0.255 130.1.0.0 0.0.255.255

permit ip 184.1.150.0 0.0.0.255 184.1.1.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 184.1.2.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 184.1.3.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 192.168.160.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 192.168.63.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 184.1.5.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 192.168.165.0 0.0.0.255

permit ip 184.1.150.0 0.0.0.255 192.168.142.0 0.0.0.255

!

logging esm config

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip any host 184.1.150.200

access-list 100 deny ip any host 184.1.150.201

access-list 100 deny ip any host 184.1.150.202

access-list 100 deny ip any host 184.1.150.203

access-list 100 deny ip any host 184.1.150.204

access-list 100 deny ip any host 184.1.150.205

access-list 100 deny ip any host 184.1.150.206

access-list 100 deny ip any host 184.1.150.207

access-list 100 deny ip any host 184.1.150.208

access-list 100 deny ip any host 184.1.150.209

access-list 100 deny ip any host 184.1.150.210

access-list 100 permit ip 10.1.10.0 0.0.0.3 any

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.1.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 128.1.0.0 0.0.255.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 130.1.0.0 0.0.255.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.2.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.3.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.4.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.160.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.63.0 0.0.0.255

access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.142.0 0.0.0.255

access-list 189 permit ip any any

access-list 190 deny tcp host 184.1.150.110 any eq www

!

route-map SDM_RMAP_1 permit 1

match ip address 100 189

!

________________________________________________________

LAN interface

interface BVI1

ip address 184.1.150.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

________________________________________________________

WAN interface

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.248

ip accounting output-packets

ip accounting precedence output

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map outside0_map

service-policy output DROP_TARINGA

some , people , helpme please