Web filtering for IP ranges

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 11:33 am

Alright, well I have a Cisco 891w router and have just about everything up and ready to deploy. Im primarily using Cisco CP 2.4 to provision the router with minor tweaks being done in the CLI. I want to set up a filter to allow access to roughly 20 websites for the majority of my network which is all on the same VLAN. The ip ranges are x.x.x.10 - x.x.x.169 which I have set into a Network Object group called limitac. The second group ranges at x.x.x.170 - x.x.x.199 and is called allowac. I have set up DHCP bindings for all the devices that will connect to the network but I want to set up a web filter for only the first group. I cannot seem to find anything in the Cisco CP manual or the IOS manual for setting up filtering for a range of IPs only.Is there a way that I can set this up?Primarily there are a few computers that need full access to the web while the others should only have access to the sites I set up in the filter.Need some help here to figure this outthanks in advance elliott

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 12:12 pm

Hi, Well do you have any kind of firewall configured at this point? If so, please paste the configuration. This can only be accomplished with Zone based firewall (As far as I know) where you define a class which will match an ACL with the desired hosts. Then a class map and then the action would be inspect http and separetly you will need to create a parameter map including the websites you want to permit/deny. Cheers Mike

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 1:01 pm

Wow thanks for the timely response usually I have to wait a bit to get responses on the boards. Anyways, I do have a zone based firewall configured, I will post my running config here. I have inserted a <> to remove non important info in order to help isolate the problem Building configuration...Current configuration : 14685 bytes!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname Xior!boot-start-markerboot-end-marker!<>!no aaa new-model<>!crypto pki trustpoint TP-self-signed-1848013357 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1848013357 revocation-check none rsakeypair TP-self-signed-1848013357!!crypto pki certificate chain TP-self-signed-1848013357 certificate self-signed 01<>   quitno ip source-route!!!ip dhcp pool ccp-pool1<>   client-identifier 0184.2b2b.4946.cb!!ip cefno ip bootp server<>!!multilink bundle-name authenticatedparameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.comparameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.comparameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com!!object-group network allow range 10.10.10.170 10.10.10.200!object-group network limitnet range 10.10.10.10 10.10.10.169!username elliott privilege 15 secret 5 $1$yqTr$PzTwtiSFYqaGaKziUxOsA0! !!archive log config  hidekeys!!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2!class-map type inspect match-any ccp-skinny-inspect match protocol skinnyclass-map type inspect match-any CCP-Voice-permit match protocol h323 match protocol skinny match protocol sipclass-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udpclass-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-trafficclass-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxgclass-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-serversclass-map type inspect match-any ccp-h225ras-inspect match protocol h225rasclass-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexeclass-map type inspect match-any denyweb match protocol http match protocol httpsclass-map type inspect match-all ccp-cls-ccp-permit-1 match class-map denyweb match access-group name limitclass-map type inspect match-any ccp-h323-inspect match protocol h323class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-accessclass-map type inspect match-all ccp-invalid-src match access-group 100class-map type inspect match-any ccp-sip-inspect match protocol sipclass-map type inspect match-all ccp-protocol-http match protocol http!!policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access  inspect class class-default  passpolicy-map type inspect ccp-inspect class type inspect ccp-invalid-src  drop log class type inspect ccp-protocol-http  inspect class type inspect ccp-insp-traffic  inspect class type inspect ccp-sip-inspect  inspect class type inspect ccp-h323-inspect  inspect class type inspect ccp-h323annexe-inspect  inspect class type inspect ccp-h225ras-inspect  inspect class type inspect ccp-h323nxg-inspect  inspect class type inspect ccp-skinny-inspect  inspect class class-default  droppolicy-map type inspect ccp-permit class class-default  drop!zone security in-zonezone security out-zonezone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspectzone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreplyzone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit!!!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4!interface FastEthernet5!interface FastEthernet6!interface FastEthernet7!interface FastEthernet8<>!interface GigabitEthernet0<>!interface wlan-ap0<>!interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP!interface Vlan1<> zone-member security in-zone ip tcp adjust-mss 1412!interface Async1<>!interface Dialer0<> zone-member security out-zone<>!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip flow-top-talkers top 30 sort-by bytes!ip nat inside source list 1 interface Dialer0 overload!ip access-list extended limit remark CCP_ACL Category=128 permit ip object-group limitnet any!logging trap debuggingaccess-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit x.x.x.0 0.0.0.255access-list 100 remark CCP_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 101 remark denywebaccess-list 101 remark CCP_ACL Category=1dialer-list 1 protocol ip permitno cdp run!!control-plane!<>!line con 0 login local transport output telnetline 1 modem InOut stopbits 1 speed 115200 flowcontrol hardwareline 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin udptn sshline aux 0 login local transport output telnetline vty 0 4 privilege level 15 login local transport input telnet sshline vty 5 15 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500end  The firewall is pretty simple and some help getting it configured would be greatly appreciated. thanks again elliott

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 1:10 pm

I cannot seem to find a parameter map setting in the Cisco CP software. So how do I go about doing this through the IOS?

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 1:10 pm

Hi Elliot,  Here is an example, parameter-map type urlfilter http-filter allow-mode on  exclusive-domain deny google.com access-list 101 permit tcp host 192.168.10.2 any eq 80access-list 102 permit ip any any class-map type inspect http-filter match access-group 101  class-map type inspect internet-access match access-group 102  policy-map type inspect in-out class  http-filter   inspect    urlfilter class internet-access   inspect zone security in-zonezone security out-zone zone-pair security source in-zone destination out-zone service-policy type inspect in-out  With this configuration, the host 192.168.80.2 should not be able to access google.com, however, the rest of the people should be able to access it. Sorry that I did not answer this faster, it has been a very rough week. Cheers Mike Rojas.

Post Reply