RE: block website using NBAR

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Sat Aug 04 2007 - 09:44:44 ART

• Next message: Brian McGahan: "RE: "frame-relay map broadcast" command for spoke-to-spoke"
• Previous message: Donghai Zhang: "Re: "frame-relay map broadcast" command for spoke-to-spoke"
• Maybe in reply to: b_lamine@yahoo.fr: "block website using NBAR"
• Next in thread: Lamine BOUAFIA: "RE: block website using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Lamine,

        Your problem is that you should not be matching urls, you should
be matching hosts. A url would be "/univercd/index.html" where a host
would be "www.cisco.com". Try changing your url keyword in the
class-map to host and see if you get hits on it.

        Also your non-NATed traffic will not be denied, it will simply
will not be NATed as it goes out to the Internet. What you may consider
is dropping all traffic except the MANAGER and ACCEPTED_WEB class
instead of exempting it from NAT. You can accomplish this as follows:

policy-map TRAFFIC
 class MANAGER
 class ACCEPTED_WEB
 class class-default
  drop

        This way you don't even need to remark the traffic as DSCP 1.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
b_lamine@yahoo.fr
Sent: Friday, August 03, 2007 12:48 PM
To: ccielab@groupstudy.com
Subject: block website using NBAR

hello experts,

I have faced some problems using nbar to block web traffic.
################################################################
class-map match-any ACCEPTED_WEB
 match protocol http url "*degrouptest.com*"
 match protocol http url "*orange.fr*"
 match protocol http url "*clubinternet.fr*"
class-map match-all MANAGER
 match access-group 1
!
policy-map TRAFFIC
 class MANAGER
  set ip dscp 1
 class ACCEPTED_WEB
  set ip dscp 1
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 service-policy input TRAFFIC
!
interface FastEthernet0/1
 ip address 196.46.253.102 255.255.255.252
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10

access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1

host permited by access-list 1 can access Internet, the others cannot
even if they try to access one of the tree website permited,

any solution please.

Thanks
Lamine

• Next message: Brian McGahan: "RE: "frame-relay map broadcast" command for spoke-to-spoke"
• Previous message: Donghai Zhang: "Re: "frame-relay map broadcast" command for spoke-to-spoke"
• Maybe in reply to: b_lamine@yahoo.fr: "block website using NBAR"
• Next in thread: Lamine BOUAFIA: "RE: block website using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART