• Advertisement

Web filtering for IP ranges

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 10:33 am

Alright, well I have a Cisco 891w router and have just about everything up and ready to deploy. Im primarily using Cisco CP 2.4 to provision the router with minor tweaks being done in the CLI. I want to set up a filter to allow access to roughly 20 websites for the majority of my network which is all on the same VLAN. The ip ranges are x.x.x.10 - x.x.x.169 which I have set into a Network Object group called limitac. The second group ranges at x.x.x.170 - x.x.x.199 and is called allowac. I have set up DHCP bindings for all the devices that will connect to the network but I want to set up a web filter for only the first group. I cannot seem to find anything in the Cisco CP manual or the IOS manual for setting up filtering for a range of IPs only.

Is there a way that I can set this up?

Primarily there are a few computers that need full access to the web while the others should only have access to the sites I set up in the filter.

Need some help here to figure this out

thanks in advance

 

elliott

Guest
 

Advertisement

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 11:12 am

Hi,

 

Well do you have any kind of firewall configured at this point? If so, please paste the configuration. This can only be accomplished with Zone based firewall (As far as I know) where you define a class which will match an ACL with the desired hosts. Then a class map and then the action would be inspect http and separetly you will need to create a parameter map including the websites you want to permit/deny.

 

Cheers

 

Mike

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 12:01 pm

Wow thanks for the timely response usually I have to wait a bit to get responses on the boards.

 

Anyways, I do have a zone based firewall configured, I will post my running config here.

 

I have inserted a <> to remove non important info in order to help isolate the problem

 


Building configuration...

Current configuration : 14685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Xior
!
boot-start-marker
boot-end-marker
!
<>
!
no aaa new-model
<>
!
crypto pki trustpoint TP-self-signed-1848013357
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1848013357
revocation-check none
rsakeypair TP-self-signed-1848013357
!
!
crypto pki certificate chain TP-self-signed-1848013357
certificate self-signed 01
<>
   quit
no ip source-route
!
!
!
ip dhcp pool ccp-pool1
<>
   client-identifier 0184.2b2b.4946.cb
!
!
ip cef
no ip bootp server
<>
!
!
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

!
!
object-group network allow
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.10 10.10.10.169
!
username elliott privilege 15 secret 5 $1$yqTr$PzTwtiSFYqaGaKziUxOsA0
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
<>
!
interface GigabitEthernet0
<>
!
interface wlan-ap0
<>
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
<>
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Async1
<>
!
interface Dialer0
<>
zone-member security out-zone
<>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit x.x.x.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark denyweb
access-list 101 remark CCP_ACL Category=1
dialer-list 1 protocol ip permit
no cdp run

!
!
control-plane
!
<>
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

 

The firewall is pretty simple and some help getting it configured would be greatly appreciated.

 

thanks again

 

elliott

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 12:10 pm

I cannot seem to find a parameter map setting in the Cisco CP software. So how do I go about doing this through the IOS?

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 12:10 pm

Hi Elliot,

 

Here is an example,

 

parameter-map type urlfilter http-filter

allow-mode on

  exclusive-domain deny google.com

 

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

 

class-map type inspect http-filter

match access-group 101

 

class-map type inspect internet-access

match access-group 102

 

 

policy-map type inspect in-out

class  http-filter

   inspect

    urlfilter

class internet-access

   inspect

 

zone security in-zone

zone security out-zone

 

zone-pair security source in-zone destination out-zone

service-policy type inspect in-out

 

With this configuration, the host 192.168.80.2 should not be able to access google.com, however, the rest of the people should be able to access it.

 

Sorry that I did not answer this faster, it has been a very rough week.

 

Cheers

 

Mike Rojas.

Guest
 

Next


  • Advertisement


Similar topics

URL filtering
Forum: Routing Protocols
Author: Guest
Replies: 1

hotspot filtering list
Forum: Cisco Security
Author: Anonymous
Replies: 0

Filtering noncontiguous ports.
Forum: Cisco Security
Author: Anonymous
Replies: 0

Clientless Webvpn Filtering with Citrix Traffic
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

Filtering OSPF routes sent to SP
Forum: Anything Networking
Author: Anonymous
Replies: 0


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 2 guests