RE: URL Filtering on Cisco

From: Luan Nguyen <luan_at_netcraftsmen.net>
Date: Thu, 11 Feb 2010 13:46:16 -0500

Aside from my own design document and template on URL Filtering :), this
site is very good http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS
I called it ZPF = Zone Based Policy Firewall.

--------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
---------------------------------

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Tyson Scott
Sent: Thursday, February 11, 2010 1:36 PM
To: 'Mark Stephanus Chandra'; 'Cisco certification'
Subject: RE: URL Filtering on Cisco

Mark,

Use URL Filtering instead of MQC if you want to block URL's. ZFW supports
local filtering so that would be a good place to start.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Mark
Stephanus Chandra
Sent: Thursday, February 11, 2010 1:22 PM
To: 'Cisco certification'
Subject: URL Filtering on Cisco

Hi Guys,

 

Have you ever tried filtering url in cisco router ?

 

Well, I just tried it and it doen't work, don't know what's wrong.

 

This is my config for class-map

 

Class-map: mark (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: protocol http mime "*.yahoo.com"

      Match: protocol http url "*.yahoo.com"

      Match: protocol http url "*.yahoo.com/*"

      Match: protocol http url "*yahoo.com*"

      Match: protocol http url "*"

      Match: protocol http host "*yahoo*"

      Drop

 

As you can see, First, the only thing i want to do is just to filter
everything about yahoo.

 

But, it seems like no effect in this scheme, so I just tried to block it all
by using match protocol http *

But the result is, I still can browse to web sites, no effect at all

 

So the scenario is, I just have one router with two interfaces

 

One going to inside and the other going outside

 

These are the configs :

 

interface Ethernet0/0

 description Outside

 ip address
 ip nat outside

 ip virtual-reassembly

 half-duplex

 service-policy input mark

!

interface FastEthernet0/0

 description Inside

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 speed auto

 service-policy input mark

 service-policy output mark

 

any clue whats wrong ?

Regards

Mark Stephanus Chandra - CCIE#23887
IT Consultant

Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 11 2010 - 13:46:16 ART

This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:35 ART