IOS Content filtering problem

tgregorics — Mon, 11 Mar 2019 16:50:03 GMT

Hi,

I'm having trouble with ZFW and url filtering. If I set it up according to documentation it blocks every website, however if I remove the urlfilter from the policy, everything works.

Any ideas?

Here is my config:

parameter-map type urlfilter websense-parmap
exclusive-domain deny .aaaaa.xx
exclusive-domain deny .bbbbb.xx

exclusive-domain deny .ccccc.xx

exclusive-domain deny .ddddd.xx

exclusive-domain deny .eeeee.xx

class-map type inspect match-any SMTP_TRAFFIC
match protocol smtp
class-map type inspect match-any HTTP_TRAFFIC
match protocol http
class-map type inspect match-any class-router-to-outside
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-outside-to-router
match protocol isakmp
match protocol ipsec-msft
match access-group name PROT_ESP
class-map type inspect match-any class-inside-to-outside
match protocol https
match protocol ftp
match protocol imap
match protocol imaps
match protocol pop3
match protocol pop3s
match protocol pptp
match protocol dns
match protocol user-tcp-8005
match protocol user-tcp-21000
match protocol user-tcp-49600
match protocol ssh
match protocol ica
match protocol icmp
match protocol ntp
match protocol user-tcp-5910
match protocol user-tcp-4081
match protocol user-tcp-10010
match protocol user-tcp-2222
match protocol lotusnote
match protocol user-tcp-8080
match protocol user-tcp-1353
class-map type inspect match-any class-outside-to-inside
match protocol smtp
match protocol mysql
match protocol pptp
match protocol user-tcp-7711
match protocol user-tcp-5910
match protocol user-tcp-5911
match protocol user-tcp-4081
match protocol user-udp-5910
match protocol user-udp-5911
class-map type inspect match-any GRE_TRAFFIC
match access-group name PROT_GRE
class-map type inspect match-all SMTP_SERVER_TRAFFIC
match protocol smtp
match access-group 100

policy-map type inspect policy-router-to-outside
class type inspect class-router-to-outside
inspect
class class-default
pass
policy-map type inspect policy-outside-to-router
class type inspect class-outside-to-router
pass
class class-default
drop
policy-map type inspect policy-outside-to-inside
class type inspect GRE_TRAFFIC
pass
class type inspect class-outside-to-inside
inspect
class class-default
drop
policy-map type inspect policy-inside-to-outside
class type inspect SMTP_SERVER_TRAFFIC
inspect
class type inspect GRE_TRAFFIC
pass
class type inspect class-inside-to-outside
inspect
class type inspect HTTP_TRAFFIC
inspect

urlfilter websense-parmap
class class-default
drop log
!
zone security inside
zone security outside
zone-pair security zp-outside-to-inside source outside destination inside
service-policy type inspect policy-outside-to-inside
zone-pair security zp-inside-to-outside source inside destination outside
service-policy type inspect policy-inside-to-outside
zone-pair security zp-router-to-outside source self destination outside
service-policy type inspect policy-router-to-outside
zone-pair security zp-outside-to-router source outside destination self
service-policy type inspect policy-outside-to-router

ip access-list extended PROT_ESP
permit esp any any
ip access-list extended PROT_GRE
permit gre any any

access-list 100 permit ip host 10.1.28.1 any

Re: IOS Content filtering problem

tgregorics — Fri, 18 Dec 2009 13:21:31 GMT

Figured it out.

"allow-mode on" was missing from my parameter map.

topic IOS Content filtering problem in Network Security

IOS Content filtering problem

Re: IOS Content filtering problem