• Advertisement

Web filtering for IP ranges

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 6:17 pm

Hi Elliot,

 

I think I know what went wrong,

 

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

 

class-map type inspect match-all http-filter

match access-group 101

match protocol http

 

class-map type inspect internet-access

match access-group 102

 

 

policy-map type inspect in-out

class  http-filter

   inspect

    urlfilter http-filter

class internet-access

   inspect

 

Let me know.

 

Mike

Guest
 

Advertisement

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 7:33 pm

Commands are in, but there is no filtering being done the specified IP

Ill post my updated sh ru with non-essential info being pulled out

 

 

parameter-map type urlfilter http-filter
exclusive-domain permit <***>
exclusive-domain permit 218.21.97.231
exclusive-domain permit 126.com
exclusive-domain permit <***>

!
parameter-map type urlfilter allowesites
!
!
object-group network allowac
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.15 10.10.10.169
!
username <***>
!
archive
log config
  hidekeys
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all internet-access
match access-group 102
class-map type inspect match-all http-filter
match access-group 101
match protocol http
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect in-out
class type inspect http-filter
  inspect
  urlfilter http-filter
class type inspect internet-access
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
interface FastEthernet0
<***>
!
interface FastEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
<***>
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp ***
ppp ***
ppp ***
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit tcp host 10.10.10.15 0.0.0.169 255.255.255.0 eq www
access-list 101 permit tcp host 10.10.10.150 any eq www
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

 

 

Really feels like we almost got it here

 

thanks again for all your help

 

elliott

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 7:51 pm

Hi,

 

We do have an issue, you did managed to put it on the configuration, however, it is not applied, if you take a look at the configuration that you have right now, the Policy that is applied from inside to outside is the ccp-inspect and not the in-out that we created. You can do one of two things...

 

On the policy map ccp-inspect  add the class maps

 

class type inspect http-filter
  inspect
  urlfilter http-filter
class type inspect internet-access
  inspect

 

The only problem with this is that you need to make sure that they are on the top (I guess you can easily move them around using CCP)

 

The other one would be using the whole policy that we created on the service policy, in that case you would need to do the following

 

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  no service-policy type inspect ccp-inspect

     service-policy type inspect in-out

 

Let me know how it goes

 

Mike

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 9:19 pm

GENIUS!!!!!!!!!

 

Marking this topic as answered.

 

You sir are a life saver.

 

You cured my 1 month headache

 

Guest
 

Re:Web filtering for IP ranges

Postby Guest » Fri Jan 04, 2008 9:21 pm

Hello Elliot,

 

Hehehehe, I am glad I was able to help.

 

Cheers!

 

Mike

Guest
 

PreviousNext


  • Advertisement


Similar topics

URL filtering
Forum: Routing Protocols
Author: Guest
Replies: 1

hotspot filtering list
Forum: Cisco Security
Author: Anonymous
Replies: 0

Filtering noncontiguous ports.
Forum: Cisco Security
Author: Anonymous
Replies: 0

Clientless Webvpn Filtering with Citrix Traffic
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

Filtering OSPF routes sent to SP
Forum: Anything Networking
Author: Anonymous
Replies: 0


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 2 guests