Re: block websites

Hi,

As Tyson, indicated, may ways to do this, but the most common confiuguration
we do is with zone based firewall
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

also please find a base configuration for Local IOS Content Filtering with
Zone Based Firewall.

UC560#
UC560#
UC560#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
UC560(config)#
UC560(config)#parameter-map type urlfpolicy trend para-map
UC560(config-profile)# allow-mode on
UC560(config-profile)# block-page message "Blocked"
UC560(config-profile)#parameter-map type urlf-glob blockedsites
UC560(config-profile)# pattern *.google.com
UC560(config-profile)# pattern *.yahoo.com
UC560(config-profile)# pattern *.ebay.com
UC560(config-profile)# pattern *.facebook.com
UC560(config-profile)#
UC560(config-profile)#parameter-map type urlf-glob trustedsites
UC560(config-profile)# pattern *
UC560(config-profile)#
UC560(config-profile)#exit
UC560(config)#class-map type urlfilter match-any allowedsites
UC560(config-cmap)# match server-domain urlf-glob trustedsites
UC560(config-cmap)#class-map type urlfilter match-any blocked-sites
UC560(config-cmap)# match server-domain urlf-glob blockedsites
UC560(config-cmap)#class-map type inspect match-any rest-traffic
UC560(config-cmap)# match protocol tcp
UC560(config-cmap)# match protocol udp
UC560(config-cmap)# match protocol icmp
UC560(config-cmap)#class-map type inspect match-all filtered-hosts
UC560(config-cmap)# match protocol http
UC560(config-cmap)# match access-group name inside_net
UC560(config-cmap)#policy-map type inspect urlfilter urlfilter-pm
UC560(config-pmap)# parameter type urlfpolicy trend para-map
UC560(config-pmap)# class type urlfilter blocked-sites
UC560(config-pmap-c)# log
UC560(config-pmap-c)# reset
UC560(config-pmap-c)# class type urlfilter allowedsites
UC560(config-pmap-c)# log
UC560(config-pmap-c)# allow
UC560(config-pmap-c)#policy-map type inspect inout
UC560(config-pmap)# class type inspect filtered-hosts
UC560(config-pmap-c)# inspect
UC560(config-pmap-c)# service-policy urlfilter urlfilter-pm
UC560(config-pmap-c)# class type inspect rest-traffic
UC560(config-pmap-c)# inspect
UC560(config-pmap-c)# class class-default
UC560(config-pmap-c)# drop
UC560(config-pmap-c)#zone security inside
UC560(config-sec-zone)#zone security outside
UC560(config-sec-zone)#$ecurity in-out source inside destination outside
UC560(config-sec-zone-pair)# service-policy type inspect inout
Translating "trps.trendmicro.com"

UC560(config-sec-zone-pair)#
UC560(config-sec-zone-pair)#exit
UC560(config)#^Z
UC560#
009180: Sep 8 15:27:14.030: %SYS-5-CONFIG_I: Configured from console by
victor on console
UC560#
009181: Sep 8 15:27:16.766: %URLF-6-SITE_ALLOWED:
(target:class)-(in-out:filtered-hosts):Client 192.168.16.111:51030 accessed
server 209.85.135.147:80
UC560#
009182: Sep 8 15:27:16.978: %URLF-4-SITE_BLOCKED:
(target:class)-(in-out:filtered-hosts):Access denied for the site '
www.google.com', client 192.168.16.111:51031 server 209.85.135.106:80
UC560#
009183: Sep 8 15:27:45.534: %URLF-6-SITE_ALLOWED:
(target:class)-(in-out:filtered-hosts):Client 192.168.16.111:51035 accessed
server 69.63.189.16:80
UC560#
009184: Sep 8 15:27:45.886: %URLF-4-SITE_BLOCKED:
(target:class)-(in-out:filtered-hosts):Access denied for the site '
www.facebook.com', client 192.168.16.111:51036 server 66.220.153.11:80
009185: Sep 8 15:27:46.078: %URLF-4-SITE_BLOCKED:
(target:class)-(in-out:filtered-hosts):Access denied for the site '
www.facebook.com', client 192.168.16.111:51037 server 66.220.153.11:80
UC560#
UC560#

009186: Sep 8 15:28:18.066: %URLF-6-SITE_ALLOWED:
(target:class)-(in-out:filtered-hosts):Client 192.168.16.111:51040 accessed
server 69.63.181.12:80
UC560#
009187: Sep 8 15:28:18.582: %URLF-4-SITE_BLOCKED:
(target:class)-(in-out:filtered-hosts):Access denied for the site '
es-es.facebook.com', client 192.168.16.111:51041 server 66.220.147.44:80
009188: Sep 8 15:28:18.878: %URLF-4-SITE_BLOCKED:
(target:class)-(in-out:filtered-hosts):Access denied for the site '
es-es.facebook.com', client 192.168.16.111:51042 server 66.220.147.44:80

Thanks
Victor Cappuccio
CCIE R/S# 20657
CCSI# 31452

www.anetworkerblog.com
www.linkedin.com/in/vcappuccio

On Wed, Sep 8, 2010 at 2:17 PM, sameer inam <i_sameer_at_hotmail.com> wrote:

> Need some help .. I m trying to connect my router with cisco website to
> download the trendmicro certificate but soem reason its says below thing my
> router log ..but its accepted the authentication password ..on the site .
> Can
> you please help me on this case .
>
> *Sep 8 11:01:08.655: %FW_TRM-3-TRPS_ERROR: TRPS indicated Authentication
> Failur
> e Error. All Subscriptions will be disabled
>
>
> Test-DMVPN-r1#sh ip trm subscription status
> Package Name: Security & Productivity
> ------------------------------------------------
> Status: Expired or Not Subscribed
> Status Update Time: N/A
> Expiration-Date: N/A
> Last Req Status: AUTHENTICATION FAILURE in response
> Last Req Sent Time: 15:01:21 GMT Wed Sep 8 2010
>
>
>
>
>
> Thanks ,
>
>
>
> Sameer
>
>
>
> > From: tscott_at_ipexpert.com
> > To: i_sameer_at_hotmail.com
> > CC: ccielab_at_groupstudy.com
> > Subject: RE: block websites
> > Date: Wed, 1 Sep 2010 19:08:25 -0400
> >
> > If you want to do it on an IOS device then you should be using URL
> filtering
> > using zone based URL filtering and it would be advisable to also get a
> > trendnet service for the filtering.
> >
> >
> >
> > The following is a guide for implementation of what I would recommend
> >
> >
>
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/whi
> > te_paper_c89-492776.html
> >
> >
> >
> > Regards,
> >
> >
> >
> > Tyson Scott - CCIE #13513 R&S, Security, and SP
> >
> > Managing Partner / Sr. Instructor - IPexpert, Inc.
> >
> > Mailto: tscott_at_ipexpert.com
> >
> >
> >
> >
> >
> > From: sameer inam [mailto:i_sameer_at_hotmail.com]
> > Sent: Wednesday, September 01, 2010 5:24 PM
> > To: tscott_at_ipexpert.com
> > Subject: RE: block websites
> >
> >
> >
> > the Goal is block the websites , download , search some thing like any
> dirty
> > words like sex, porn etc .. this all kind of things need to block
> >
> > please advice your advice is really much appreciate .
> >
> > Kind regards,
> >
> > Sameer
> >
> >
> >
> >
> >
> > > From: tscott_at_ipexpert.com
> > > To: i_sameer_at_hotmail.com; ccielab_at_groupstudy.com
> > > Subject: RE: block websites
> > > Date: Wed, 1 Sep 2010 10:42:43 -0400
> > >
> > > You could do a million things with as vague a question as you have. You
> > > could use an ACL. You can use FPM. You can use a control plane policy.
> You
> > > can use URL Filtering. You can use NBAR. What is your goal?
> > >
> > > Regards,
> > >
> > > Tyson Scott - CCIE #13513 R&S, Security, and SP
> > > Managing Partner / Sr. Instructor - IPexpert, Inc.
> > > Mailto: tscott_at_ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> > > sameer inam
> > > Sent: Wednesday, September 01, 2010 3:05 AM
> > > To: ccielab_at_groupstudy.com
> > > Subject: block websites
> > >
> > > Experts,
> > >
> > >
> > >
> > > Could you please help me , i want block few website on my Cisco routers
> > > level, coul you guys please advice ?
> > >
> > >
> > >
> > > Kind regards,
> > >
> > >
> > >
> > > Sameer
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
[GroupStudy removed an attachment of type image/png which had a name of untitled.PNG]
Blogs and organic groups at http://www.ccie.net