RE: block website using NBAR

From: Szarmach, Douglas (Douglas.Szarmach@cmegroup.com)
Date: Sat Aug 04 2007 - 08:52:52 ART

• Next message: Prasad Shemrudkar (pshemrud): "OSPF default route"
• Previous message: brajesh.thakur@wipro.com: "RE: "frame-relay map broadcast" command for spoke-to-spoke"
• Maybe in reply to: b_lamine@yahoo.fr: "block website using NBAR"
• Next in thread: Brian McGahan: "RE: block website using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

What about something like this? I have not tested, but here it goes:

class-map match-all WEB
 match protocol http
class-map match-all DENIEDWEB
 match not protocol http url "*degrouptest.com*"
 match not protocol http url "*orange.fr*"
 match not protocol http url "*clubinternet.fr*"
 match class-map WEB
 match not access-group 1
!
!
policy-map TEST
 class DENIEDWEB
   drop
!
access-list 1 permit <source ip of managers>
!
<internet facing interface>
 service-policy output TEST

The WEB policy is used to make sure that we're only filtering HTTP.

The DENIEDWEB is 'match-all' and all of the following must be true:

 match class-map WEB - means you are only affecting HTTP
 match not protocol http url "*degrouptest.com*" (do not match approved
site)
 match not protocol http url "*orange.fr*" (do not match approved site)
 match not protocol http url "*clubinternet.fr*" (do not match approved
site)
 match not access-group 1 (do not match source IP of 'managers')

And then the policy map picks up anything that does manage to match (all
http traffic from a non manager PC to a non approved site) and the
action is DROP, to effectively filter as per your requirement.

-
Doug

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lamine BOUAFIA
Sent: Saturday, August 04, 2007 1:48 AM
To: cisco@paytonsplace.net; ccielab@groupstudy.com
Subject: RE: block website using NBAR

Hi Nick,

Thank you for you reply.

But if any host that is not in access-list 1 try to access one of the
websites in class-map ACCEPTED_WEB, it will get dscp value set to 1. and
that what I want. Permit access-list 1 and any other traffic what access
one
of the websites permitted in class-map ACCEPTED_WEB. Other traffic well
be
dropped.

Thanks,
lamine

-----Message d'origine-----
De : Nick Payton [mailto:cisco@paytonsplace.net]
Envoyi : samedi 4 ao{t 2007 06:27
@ : b_lamine@yahoo.fr; ccielab@groupstudy.com
Objet : RE: block website using NBAR

Lamine,

    You are not NATing anyone who isn't in access-list 1 since they are
not
getting the dscp value set to 1 and in turn matching your NAT ACL (102).
So
they go out to the internet without being NATed and obviously this isn't
going to work being that it is sourced from 1918 space. Try the
following
(and I am sure there is probably an easier way to do it but it is late
and I
have no creative energy):

class-map match-any ACCEPTED_WEB
 match protocol http url "*degrouptest.com*"
 match protocol http url "*orange.fr*"
 match protocol http url "*clubinternet.fr*"
class-map match-all MANAGER
 match access-group 1
!
policy-map TRAFFIC
class MANAGER
  set ip dscp 2
class ACCEPTED_WEB
  set ip dscp 1
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 service-policy input TRAFFIC
!
interface FastEthernet0/1
 ip address 196.46.253.102 255.255.255.252
 ip nat outside
 ip access-group ALLOW-PER-POLICY out
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip nat inside source list 102 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended ALLOW-PER-POLICY
permit tcp any any eq 80 dscp 2
permit tcp any any eq 80 dscp 1
!

Give that a try, but I am sure this would be a pain in the ass if you
have a
lot of policy to manage.

Regards,
Nick

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
b_lamine@yahoo.fr
Sent: Friday, August 03, 2007 10:48 AM
To: ccielab@groupstudy.com
Subject: block website using NBAR

hello experts,

I have faced some problems using nbar to block web traffic.
################################################################
class-map match-any ACCEPTED_WEB
 match protocol http url "*degrouptest.com*"
 match protocol http url "*orange.fr*"
 match protocol http url "*clubinternet.fr*"
class-map match-all MANAGER
 match access-group 1
!
policy-map TRAFFIC
 class MANAGER
  set ip dscp 1
 class ACCEPTED_WEB
  set ip dscp 1
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 service-policy input TRAFFIC
!
interface FastEthernet0/1
 ip address 196.46.253.102 255.255.255.252
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10

access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1

host permited by access-list 1 can access Internet, the others cannot
even
if they try to access one of the tree website permited,

any solution please.

Thanks
Lamine

• Next message: Prasad Shemrudkar (pshemrud): "OSPF default route"
• Previous message: brajesh.thakur@wipro.com: "RE: "frame-relay map broadcast" command for spoke-to-spoke"
• Maybe in reply to: b_lamine@yahoo.fr: "block website using NBAR"
• Next in thread: Brian McGahan: "RE: block website using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART