Web filtering for IP ranges

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 7:17 pm

Hi Elliot, I think I know what went wrong, access-list 101 permit tcp host 192.168.10.2 any eq 80access-list 102 permit ip any any class-map type inspect match-all http-filtermatch access-group 101match protocol http class-map type inspect internet-accessmatch access-group 102  policy-map type inspect in-outclass  http-filter   inspect    urlfilter http-filterclass internet-access   inspect Let me know. Mike

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 8:33 pm

Commands are in, but there is no filtering being done the specified IPIll post my updated sh ru with non-essential info being pulled out  parameter-map type urlfilter http-filter exclusive-domain permit <***> exclusive-domain permit 218.21.97.231 exclusive-domain permit 126.com exclusive-domain permit <***>!parameter-map type urlfilter allowesites!!object-group network allowac range 10.10.10.170 10.10.10.200!object-group network limitnet range 10.10.10.15 10.10.10.169!username <***>!archive log config  hidekeys!class-map type inspect match-any ccp-skinny-inspect match protocol skinnyclass-map type inspect match-any CCP-Voice-permit match protocol h323 match protocol skinny match protocol sipclass-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udpclass-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-trafficclass-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxgclass-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-all internet-access match access-group 102class-map type inspect match-all http-filter match access-group 101 match protocol httpclass-map type inspect match-any ccp-h225ras-inspect match protocol h225rasclass-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexeclass-map type inspect match-any denyweb match protocol http match protocol httpsclass-map type inspect match-all ccp-cls-ccp-permit-1 match class-map denyweb match access-group name limitclass-map type inspect match-any ccp-h323-inspect match protocol h323class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-accessclass-map type inspect match-all ccp-invalid-src match access-group 100class-map type inspect match-any ccp-sip-inspect match protocol sipclass-map type inspect match-all ccp-protocol-http match protocol http!!policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access  inspect class class-default  passpolicy-map type inspect ccp-inspect class type inspect ccp-invalid-src  drop log class type inspect ccp-protocol-http  inspect class type inspect ccp-insp-traffic  inspect class type inspect ccp-sip-inspect  inspect class type inspect ccp-h323-inspect  inspect class type inspect ccp-h323annexe-inspect  inspect class type inspect ccp-h225ras-inspect  inspect class type inspect ccp-h323nxg-inspect  inspect class type inspect ccp-skinny-inspect  inspect class class-default  droppolicy-map type inspect in-out class type inspect http-filter  inspect  urlfilter http-filter class type inspect internet-access  inspectpolicy-map type inspect ccp-permit class class-default  drop!zone security in-zonezone security out-zonezone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permitzone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspectzone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply!interface FastEthernet0<***>!interface FastEthernet8 description $ES_WAN$$FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1!interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress arp timeout 0!interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1412!<***>!interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp *** ppp *** ppp ***!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip flow-top-talkers top 30 sort-by bytes!ip nat inside source list 1 interface Dialer0 overload!ip access-list extended limit remark CCP_ACL Category=128 permit ip object-group limitnet any!logging trap debuggingaccess-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.255access-list 100 remark CCP_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 101 permit tcp host 10.10.10.15 0.0.0.169 255.255.255.0 eq wwwaccess-list 101 permit tcp host 10.10.10.150 any eq wwwaccess-list 102 permit ip any anydialer-list 1 protocol ip permitno cdp run!line con 0 login local transport output telnetline 1 modem InOut stopbits 1 speed 115200 flowcontrol hardwareline 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin udptn sshline aux 0 login local transport output telnetline vty 0 4 privilege level 15 login local transport input telnet sshline vty 5 15 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500end   Really feels like we almost got it here thanks again for all your help elliott

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 8:51 pm

Hi, We do have an issue, you did managed to put it on the configuration, however, it is not applied, if you take a look at the configuration that you have right now, the Policy that is applied from inside to outside is the ccp-inspect and not the in-out that we created. You can do one of two things... On the policy map ccp-inspect  add the class maps class type inspect http-filter  inspect  urlfilter http-filter class type inspect internet-access  inspect The only problem with this is that you need to make sure that they are on the top (I guess you can easily move them around using CCP) The other one would be using the whole policy that we created on the service policy, in that case you would need to do the following zone-pair security ccp-zp-in-out source in-zone destination out-zone  no service-policy type inspect ccp-inspect     service-policy type inspect in-out Let me know how it goes Mike

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 10:19 pm

GENIUS!!!!!!!!! Marking this topic as answered. You sir are a life saver. You cured my 1 month headache 

Guest

Re:Web filtering for IP ranges

Post by Guest » Fri Jan 04, 2008 10:21 pm

Hello Elliot, Hehehehe, I am glad I was able to help. Cheers! Mike

Post Reply