Re: blocking website using NBAR still doesn't work

From: Bit Gossip (bit.gossip@chello.nl)
Date: Sun Aug 12 2007 - 04:12:20 ART

An alternative approach using mime and nat: R1 ---f0/0R4s0/1----R5

hostname R4
!
class-map match-all IMAGE
 match protocol http mime "*jpeg"
!
policy-map BLOCK-IMAGE
 class IMAGE
   drop
!
interface Loopback0
 ip address 150.1.4.4 255.255.255.0
 ip virtual-reassembly
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 10.0.0.4 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
 service-policy output BLOCK-IMAGE
!
interface Serial0/1
 ip address 155.1.45.4 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
ip http server
no ip http secure-server
ip http path flash:
ip nat inside source list INSIDE_NETWORK interface Loopback0 overload
!
ip access-list standard INSIDE_NETWORK
 permit 10.0.0.0 0.0.0.255
!
~~~~~~~~~~~~~~~~~~~~~~~NO SERVICE POLICY APPLIED on R4
R1#copy http://150.1.5.5/lab09.jpg null:
Loading http://150.1.5.5/lab09.jpg !
2608 bytes copied in 0.268 secs (9731 bytes/sec)
R1#copy http://150.1.5.5/lab09 null: <<<<<<<<< plain text file
Loading http://150.1.5.5/lab09 !
2608 bytes copied in 0.264 secs (9879 bytes/sec)
~~~~~~~~~~~~~~~~~~~~~~~SERVICE POLICY APPLIED on R4
R1#copy http://150.1.5.5/lab09.jpg null:
%Error opening http://150.1.5.5/lab09.jpg (I/O error)
R1#copy http://150.1.5.5/lab09 null:
Loading http://150.1.5.5/lab09 !
2608 bytes copied in 0.268 secs (9731 bytes/sec)

----- Original Message -----
From: "Victor Cappuccio" <vcappuccio@ccbootcamp.com>
To: <b_lamine@yahoo.fr>; <ccielab@groupstudy.com>
Sent: Saturday, August 11, 2007 8:36 AM
Subject: RE: blocking website using NBAR still doesn't work

> Hhehehe sorry for the spam, I did not saw the Nat part
>
> -----Original Message-----
> From: Victor Cappuccio
> Sent: Fri 10-Aug-07 11:28 PM
> To: b_lamine@yahoo.fr; ccielab@groupstudy.com
> Subject: RE: blocking website using NBAR still doesn't work
>
>
> Hi Lamine
>
>
> R1 --- R4f0/0 --- SW1(web server)
>
> Sw1#deb ip http all
> Sw1#
> rack5>1
> [Resuming connection 1 to R1 ... ]
> copy http://10.10.7.7/run.html null0
> Destination filename [null0]?
> rack5>7
> [Resuming connection 7 to sw1 ... ]
>
> Sw1#
> rack5>1
> [Resuming connection 1 to R1 ... ]
>
> Loading http://10.10.7.7/run.html !
> %Error copying http://10.10.7.7/run.html (Not enough space on device)
> R1#
> R1#
> rack5>7
> [Resuming connection 7 to sw1 ... ]
>
> 1d22h: Tue, 02 Mar 1993 22:31:36 GMT 10.10.123.1 /run.html ok
> Protocol = HTTP/1.1 Method = GET
> 1d22h: Date = Wed, 06 Jun 2007 23:35:10 GMT
>
> Sw1#
> Sw1#
> rack5>4
> [Resuming connection 4 to R4 ... ]
>
> R4#show policy-map inter
> FastEthernet0/0
>
> Service-policy input: PMPOLICY
>
> Class-map: PICTURES (match-all)
> 0 packets, 0 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.jpeg|*.jpg|*.gif"
> Match: access-group 101
> Match: protocol http host "10.10.7.7"
> drop
>
> Class-map: WEBSERVER (match-all)
> 8 packets, 3362 bytes
> 30 second offered rate 1000 bps, drop rate 0 bps
> Match: protocol http host "10.10.7.7"
> police:
> cir 640000 bps, bc 20000 bytes
> conformed 8 packets, 3362 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 1000 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 717 packets, 64081 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: any
> R4#
>
> rack5>7
> [Resuming connection 7 to sw1 ... ]
>
> Sw1#
>
> !now we have some fake information in the flash of this stuff
>
> Sw1#copy running-config flash:ima.gif
> Destination filename [ima.gif]?
>
> 2689 bytes copied in 1.225 secs (2195 bytes/sec)
> Sw1#copy running-config flash:ima.jpeg
> Destination filename [ima.jpeg]?
>
> 2689 bytes copied in 0.646 secs (4163 bytes/sec)
> Sw1#copy running-config flash:ima.jpg
> Destination filename [ima.jpg]?
>
> 2689 bytes copied in 0.638 secs (4215 bytes/sec)
> Sw1#show flash
>
> Directory of flash:/
>
> 2 -rwx 7963038 Mar 1 1993 02:57:02 +00:00
> c3560-advipservicesk9-mz.122-25.SEE2.bin
> 3 -rwx 1442 Mar 1 1993 01:06:10 +00:00 run.jpg
> 4 -rwx 864 Mar 1 1993 00:09:21 +00:00 test
> 5 -rwx 1096 Mar 1 1993 22:16:15 +00:00 vlan.dat
> 6 -rwx 24 Mar 2 1993 05:45:09 +00:00 private-config.text
> 7 -rwx 2679 Mar 2 1993 22:02:58 +00:00 run.html
> 8 -rwx 2135 Mar 2 1993 05:45:09 +00:00 config.text
> 9 -rwx 2689 Mar 2 1993 22:32:43 +00:00 ima.gif
> 10 -rwx 2689 Mar 2 1993 22:32:49 +00:00 ima.jpeg
> 11 -rwx 2689 Mar 2 1993 22:32:53 +00:00 ima.jpg
>
> !Yeah
>
> 32514048 bytes total (24529920 bytes free)
> Sw1#
> rack5>1
> [Resuming connection 1 to R1 ... ]
>
> R1#copy http://10.10.7.7/ima.gif null0
> Destination filename [null0]?
> Loading http://10.10.7.7/ima.gif !
> %Error copying http://10.10.7.7/ima.gif (Not enough space on device)
> R1#
> rack5>4
> [Resuming connection 4 to R4 ... ]
>
> R4#show policy-map inter
> FastEthernet0/0
>
> Service-policy input: PMPOLICY
>
> Class-map: PICTURES (match-all)
> 0 packets, 0 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.jpeg|*.jpg|*.gif"
> Match: access-group 101
> Match: protocol http host "10.10.7.7"
> drop
>
> Class-map: WEBSERVER (match-all)
> 12 packets, 4904 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "10.10.7.7"
> police:
> cir 640000 bps, bc 20000 bytes
> conformed 12 packets, 4904 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> R4#show run | in access-list 101
> access-list 101 permit tcp host 10.7.7.7 eq www host 150.1.1.1
> access-list 101 permit tcp host 10.10.67.7 eq www host 150.1.1.1
> access-list 101 permit tcp host 10.7.7.7 eq www any
> access-list 101 permit tcp host 10.10.67.7 eq www any
> R4# !Stupid Router!
> R4#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> R4(config)#no access-list 101
> R4(config)#
> R4(config)#access-list 101 permit tcp host 10.10.7.7 eq www host 150.1.1.1
> R4(config)#access-list 101 permit tcp host 10.10.67.7 eq www host
> 150.1.1.1
> R4(config)#access-list 101 permit tcp host 10.10.7.7 eq www any
> R4(config)#access-list 101 permit tcp host 10.10.67.7 eq www any
> R4(config)#^Z
> R4#
> rack5>1
> [Resuming connection 1 to R1 ... ]
>
> R1#copy http://10.10.7.7/ima.gif null0
> Destination filename [null0]?
>
> rack5>4
> [Resuming connection 4 to R4 ... ]
>
> R4#show policu
> R4#show policy
> R4#show policy-map inter f0/0
> FastEthernet0/0
>
> Service-policy input: PMPOLICY
>
> Class-map: PICTURES (match-all)
> 4 packets, 1243 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.jpeg|*.jpg|*.gif"
> Match: access-group 101
> Match: protocol http host "10.10.7.7"
> drop
>
> Class-map: WEBSERVER (match-all)
> 12 packets, 4904 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "10.10.7.7"
> police:
> cir 640000 bps, bc 20000 bytes
> conformed 12 packets, 4904 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 803 packets, 70341 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: any
> R4#
> rack5>1
> [Resuming connection 1 to R1 ... ]
> Loading http://10.10.7.7/ima.gif
> rack5>!! We still have nothing
> [Resuming connection 1 to R1 ... ]
> !
> %Error reading http://10.10.7.7/ima.gif (Broken pipe)
> R1#
> R1#
> R1#
> R1#
> R1#
> R1#
> R1#
> R1#
> rack5>4
> [Resuming connection 4 to R4 ... ]
>
> R4#
> R4#show policy-map inter f0/0 ?
> input Input policy
> output Output policy
> | Output modifiers
> <cr>
>
> R4#show policy-map inter f0/0
> FastEthernet0/0
>
> Service-policy input: PMPOLICY
>
> Class-map: PICTURES (match-all)
> 8 packets, 3384 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.jpeg|*.jpg|*.gif"
> Match: access-group 101
> Match: protocol http host "10.10.7.7"
> drop
>
> Class-map: WEBSERVER (match-all)
> 12 packets, 4904 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "10.10.7.7"
> police:
> cir 640000 bps, bc 20000 bytes
> conformed 12 packets, 4904 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 825 packets, 71957 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: any
>
>
> R4#show policy-map inter f0/0
> FastEthernet0/0
>
> Service-policy input: PMPOLICY
>
> Class-map: PICTURES (match-all)
> 8 packets, 3384 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*.jpeg|*.jpg|*.gif"
> Match: access-group 101
> Match: protocol http host "10.10.7.7"
> drop
>
> Class-map: WEBSERVER (match-all)
> 12 packets, 4904 bytes !!!!SOME HERE
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "10.10.7.7"
> police:
> cir 640000 bps, bc 20000 bytes
> conformed 12 packets, 4904 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 825 packets, 71957 bytes
> 30 second offered rate 0 bps, drop rate 0 bps
> Match: any
> R4#show run policy-map
> Building configuration...
>
> Current configuration : 88 bytes
> !
> policy-map PMPOLICY
> class PICTURES
> drop
> class WEBSERVER
> police 640000
> !
> end
>
> R4#show run class-map
> Building configuration...
>
> Current configuration : 215 bytes
> !
> class-map match-all PICTURES
> match protocol http url "*.jpeg|*.jpg|*.gif"
> match access-group 101
> match protocol http host "10.10.7.7"
> class-map match-all WEBSERVER
> match protocol http host "10.10.7.7"
> !
> end
>
> R4#show run int f0/0
> Building configuration...
>
> Current configuration : 236 bytes
> !
> interface FastEthernet0/0
> ip address 10.10.34.4 255.255.255.0
> ip access-group 102 in
> ip pim sparse-dense-mode
> no ip route-cache cef
> no ip route-cache
> load-interval 30
> duplex auto
> speed auto
> service-policy input PMPOLICY
> end
>
>
>
> thanks,
> Victor Cappuccio.-
> - CCSI# 31452
>
> CCBOOTCAMP - A Cisco Sponsored Organization (SO)
> email: vcappuccio@ccbootcamp.com
> Toll Free: 877-654-2243
> Direct: +1-702-968-5100 = Outside the USA
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> Register to win a free iPhone! http://www.ccbootcamp.com/iphone.html
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of b_lamine@yahoo.fr
> Sent: Sat 11-Aug-07 5:48 AM
> To: ccielab@groupstudy.com
> Subject: blocking website using NBAR still doesn't work
>
> Hi all,
>
> Im trying to block websites by using NBAR, and I have tested a solution
> by
> Brian McGahan and other CCIE but it doesnt work. And the drop command
> cannot
> be configured in class-default
>
> policy-map TRAFFIC
> R1(config-pmap)# class MANAGER
> R1(config-pmap-c)# class ACCEPTED_WEB
> R1(config-pmap-c)# class class-default
> R1(config-pmap-c)# drop
> Drop cannot be configured in class-default
>
> I have tried with host rather than url but still not working:
>
> class-map match-any ACCEPTED_WEB
> match protocol http host "www.degrouptest.com"
> match protocol http host "www.orange.fr"
> match protocol http host "www.clubinternet.fr"
> class-map match-any PHONE_CONTROL
> match protocol h323
> match access-group name PHONE_APP
> class-map match-all MANAGER
> match access-group 1
> !
> !
> policy-map MARK_DSCP
> class MANAGER
> set ip dscp 1
> class PHONE_CONTROL
> set ip dscp 1
> class ACCEPTED_WEB
> set ip dscp 1
> !
> interface FastEthernet0/0
> ip address 192.168.0.1 255.255.255.0
> ip nbar protocol-discovery
> ip nat inside
> service-policy input MARK_DSCP
> !
> interface FastEthernet0/1
> ip address 196.46.253.102 255.255.255.252
> ip nat outside
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> !
> !
> ip nat inside source list 102 interface FastEthernet0/1 overload
> ip nat inside source static tcp 192.168.0.5 7080 81.52.163.155 7080
> extendable
> ip nat inside source static tcp 192.168.0.5 22 196.46.253.102 22
> extendable
> ip nat inside source static tcp 192.168.0.5 80 196.46.253.102 80
> extendable
> ip nat inside source static udp 192.168.0.3 5808 196.46.253.102 5808
> extendable
> ip nat inside source static udp 192.168.0.3 5809 196.46.253.102 5809
> extendable
> ip nat inside source static tcp 192.168.0.10 5900 196.46.253.102 5900
> extendable
> ip nat inside source static tcp 192.168.0.5 7080 196.46.253.102 7080
> extendable
> !
> ip access-list extended PHONE_APP
> remark VNC Client/Server
> permit tcp any any eq 5900
> permit tcp any eq 5900 any
> remark Agent Phonecontrol
> permit tcp any any eq 14300
> permit tcp any eq 14300 any
> remark Administrateur Phonecontrol
> permit tcp any any eq 14500
> permit tcp any eq 14500 any
> remark ----au cas ou----
> permit udp any any eq 5808
> permit udp any eq 5808 any
> permit udp any any eq 5809
> permit udp any eq 5809 any
> remark Agent CosmoCall
> permit tcp any any eq 14005
> permit tcp any eq 14005 any
> !
> access-list 1 permit 192.168.0.90
> access-list 1 permit 192.168.0.36
> access-list 1 permit 192.168.0.9
> access-list 1 permit 192.168.0.10
> access-list 1 permit 192.168.0.14
> access-list 1 permit 192.168.0.25
> access-list 1 permit 192.168.0.18
>
> access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1
>
> ########################################################
>
> R1#show policy-map interface FastEthernet0/0
> FastEthernet0/0
> Service-policy input: MARK_DSCP
>
> Class-map: MANAGER (match-all)
> 75267 packets, 11355431 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group 1
> QoS Set
> dscp 1
> Packets marked 75267
>
> Class-map: PHONE_CONTROL (match-any)
> 890407 packets, 156960904 bytes
> 5 minute offered rate 1000 bps, drop rate 0 bps
> Match: protocol h323
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> Match: access-group name PHONE_APP
> 890407 packets, 156960904 bytes
> 5 minute rate 1000 bps
> QoS Set
> dscp 1
> Packets marked 890407
>
> Class-map: ACCEPTED_WEB (match-any)
> 3093 packets, 1052720 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http host "www.degrouptest.com"
> 2552 packets, 921460 bytes
> 5 minute rate 0 bps
> Match: protocol http host "www.orange.fr"
> 367 packets, 67946 bytes
> 5 minute rate 0 bps
> Match: protocol http host "www.clubinternet.fr"
> 174 packets, 63314 bytes
> 5 minute rate 0 bps
> QoS Set
> dscp 1
> Packets marked 3093
>
>
> Any solution please?
>
>
> Regards,
> Lamine
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:10 ART