topic Re: Web filtering for IP ranges in Network Security

Web filtering for IP ranges

elliott callaway — Mon, 11 Mar 2019 19:57:09 GMT

Alright, well I have a Cisco 891w router and have just about everything up and ready to deploy. I'm primarily using Cisco CP 2.4 to provision the router with minor tweaks being done in the CLI. I want to set up a filter to allow access to roughly 20 websites for the majority of my network which is all on the same VLAN. The ip ranges are x.x.x.10 - x.x.x.169 which I have set into a Network Object group called limitac. The second group ranges at x.x.x.170 - x.x.x.199 and is called allowac. I have set up DHCP bindings for all the devices that will connect to the network but I want to set up a web filter for only the first group. I cannot seem to find anything in the Cisco CP manual or the IOS manual for setting up filtering for a range of IPs only.

Is there a way that I can set this up?

Primarily there are a few computers that need full access to the web while the others should only have access to the sites I set up in the filter.

Need some help here to figure this out

thanks in advance

elliott

Re: Web filtering for IP ranges

Maykol Rojas — Sat, 26 Feb 2011 05:01:25 GMT

Hi,

Well do you have any kind of firewall configured at this point? If so, please paste the configuration. This can only be accomplished with Zone based firewall (As far as I know) where you define a class which will match an ACL with the desired hosts. Then a class map and then the action would be inspect http and separetly you will need to create a parameter map including the websites you want to permit/deny.

Cheers

Mike

Re: Web filtering for IP ranges

elliott callaway — Sat, 26 Feb 2011 05:41:07 GMT

Wow thanks for the timely response usually I have to wait a bit to get responses on the boards.

Anyways, I do have a zone based firewall configured, I will post my running config here.

I have inserted a <> to remove non important info in order to help isolate the problem

Building configuration...

Current configuration : 14685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Xior
!
boot-start-marker
boot-end-marker
!
<>
!
no aaa new-model
<>
!
crypto pki trustpoint TP-self-signed-1848013357
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1848013357
revocation-check none
rsakeypair TP-self-signed-1848013357
!
!
crypto pki certificate chain TP-self-signed-1848013357
certificate self-signed 01
<>
quit
no ip source-route
!
!
!
ip dhcp pool ccp-pool1
<>
client-identifier 0184.2b2b.4946.cb
!
!
ip cef
no ip bootp server
<>
!
!
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

!
!
object-group network allow
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.10 10.10.10.169
!
username elliott privilege 15 secret 5 $1$yqTr$PzTwtiSFYqaGaKziUxOsA0
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
<>
!
interface GigabitEthernet0
<>
!
interface wlan-ap0
<>
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
<>
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Async1
<>
!
interface Dialer0
<>
zone-member security out-zone
<>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit x.x.x.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark denyweb
access-list 101 remark CCP_ACL Category=1
dialer-list 1 protocol ip permit
no cdp run

!
!
control-plane
!
<>
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

The firewall is pretty simple and some help getting it configured would be greatly appreciated.

thanks again

elliott

Re: Web filtering for IP ranges

elliott callaway — Mon, 28 Feb 2011 03:06:53 GMT

I cannot seem to find a parameter map setting in the Cisco CP software. So how do I go about doing this through the IOS?

Re: Web filtering for IP ranges

Maykol Rojas — Sat, 05 Mar 2011 02:46:26 GMT

Hi Elliot,

Here is an example,

parameter-map type urlfilter http-filter

allow-mode on

exclusive-domain deny google.com

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

class-map type inspect http-filter

match access-group 101

class-map type inspect internet-access

match access-group 102

policy-map type inspect in-out

class http-filter

inspect

urlfilter

class internet-access

inspect

zone security in-zone

zone security out-zone

zone-pair security source in-zone destination out-zone

service-policy type inspect in-out

With this configuration, the host 192.168.80.2 should not be able to access google.com, however, the rest of the people should be able to access it.

Sorry that I did not answer this faster, it has been a very rough week.

Cheers

Mike Rojas.

Re: Web filtering for IP ranges

elliott callaway — Sat, 05 Mar 2011 03:41:53 GMT

beautiful thank you so much, im going to throw this into my configuration into a couple of hours, I just needed to see the format.

thank you so much. im going to mark this thread as answered later tonight after my testing is complete.

its ok that you didnt answer sooner, i had many other things i had to take care of so its not a big deal.

thanks again

elliott

Re: Web filtering for IP ranges

Maykol Rojas — Sat, 05 Mar 2011 06:03:16 GMT

Hi Elliot

If anything happens just let me know, will be more than glad to help you out.

Mike Rojas.

Re: Web filtering for IP ranges

elliott callaway — Mon, 07 Mar 2011 09:31:36 GMT

Ive gotten the configuration you gave me into the router except for one portion of it.

policy-map type inspect in-out
class http-filter
inspect
urlfilter

I was able to load

   policy-map type inspect in-out
      class http-filter
      inspect

but when i try to add the command urlfilter the console gives me

% Incomplete command.

I'm guessing this is where the actual filtering is done because the firewall is not filtering at this point.

I also wanted to check that like other cisco services there is an implicit deny for things unspecified.

So if i configure the firewall as such :

     parameter-map type urlfilter http-filter
          allow-mode on
       exclusive-domain allow google.com

       exclusive-domain allow yahoo.com
       exclusive-domain allow hotmail.com
       exclusive-domain allow gmail.com

then all the other sites should be blocked right?

or do I have to use a wildcard and actually block along the lines of

exclusive-domain deny *

after my allowances?

thanks again in advance

elliott

Re: Web filtering for IP ranges

Maykol Rojas — Tue, 08 Mar 2011 04:33:32 GMT

Hi Elliot,

Yes, sorry forgot one command there

policy-map type inspect in-out
class http-filter
inspect
urlfilter http-filter

If you want to allow those sites:

       exclusive-domain allow yahoo.com
       exclusive-domain allow hotmail.com
       exclusive-domain allow gmail.com

On the parameter-map, instead of allow-mode on, put allow-mode off, that would block the rest of the sites that you are not specifying in the exclusive domain.

Let me know.

Mike

Re: Web filtering for IP ranges

elliott callaway — Tue, 08 Mar 2011 05:12:48 GMT

Ok I changed allow mode to off

but when I get into Router 9config-pmap-c) #

i tried

urlf http-filter

%Protocol "http" not found in class-map

So should I change the name of the class-map filter?

I guess I'll try that and see how it goes

thanks again for your time.

elliott

edit*

this did not work either, I guess I am missing something somewhere else to get the %Protocol "http" not found in class-map

Re: Web filtering for IP ranges

Maykol Rojas — Tue, 08 Mar 2011 05:21:53 GMT

Hi Elliot,

I think I know what went wrong,

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

class-map type inspect match-all http-filter

match access-group 101

match protocol http

class-map type inspect internet-access

match access-group 102

policy-map type inspect in-out

class http-filter

inspect

urlfilter http-filter

class internet-access

inspect

Let me know.

Mike

Re: Web filtering for IP ranges

elliott callaway — Tue, 08 Mar 2011 05:52:30 GMT

Commands are in, but there is no filtering being done the specified IP

I'll post my updated sh ru with non-essential info being pulled out

parameter-map type urlfilter http-filter
exclusive-domain permit <***>
exclusive-domain permit 218.21.97.231
exclusive-domain permit 126.com
exclusive-domain permit <***>

!
parameter-map type urlfilter allowesites
!
!
object-group network allowac
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.15 10.10.10.169
!
username <***>
!
archive
log config
hidekeys
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all internet-access
match access-group 102
class-map type inspect match-all http-filter
match access-group 101
match protocol http
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect in-out
class type inspect http-filter
inspect
urlfilter http-filter
class type inspect internet-access
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
interface FastEthernet0
<***>
!
interface FastEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
<***>
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp ***
ppp ***
ppp ***
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit tcp host 10.10.10.15 0.0.0.169 255.255.255.0 eq www
access-list 101 permit tcp host 10.10.10.150 any eq www
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Really feels like we almost got it here

thanks again for all your help

elliott

Re: Web filtering for IP ranges

Maykol Rojas — Tue, 08 Mar 2011 06:05:30 GMT

Hi,

We do have an issue, you did managed to put it on the configuration, however, it is not applied, if you take a look at the configuration that you have right now, the Policy that is applied from inside to outside is the ccp-inspect and not the in-out that we created. You can do one of two things...

On the policy map ccp-inspect add the class maps

class type inspect http-filter
inspect
urlfilter http-filter
class type inspect internet-access
inspect

The only problem with this is that you need to make sure that they are on the top (I guess you can easily move them around using CCP)

The other one would be using the whole policy that we created on the service policy, in that case you would need to do the following

zone-pair security ccp-zp-in-out source in-zone destination out-zone
no service-policy type inspect ccp-inspect

service-policy type inspect in-out

Let me know how it goes

Mike

Re: Web filtering for IP ranges

elliott callaway — Tue, 08 Mar 2011 06:30:23 GMT

GENIUS!!!!!!!!!

Marking this topic as answered.

You sir are a life saver.

You cured my 1 month headache

Re: Web filtering for IP ranges

Maykol Rojas — Tue, 08 Mar 2011 17:20:13 GMT

Hello Elliot,

Hehehehe, I am glad I was able to help.

Cheers!

Mike