Hi,

i have problem with local urlfiter (to block facebook) on cisco 877K9 .

My IOS is 124-24.T4 advipservices.

I have configured ZBF with SDM but I added via CLI the param of configuration for urlfilter.

Urlfilter does not work. Why?

I copied the conf of some people to work.

I'm going crazy

Configuration for local urlfilter

parameter-map type urlf-glob Facebook

pattern facebook.com

pattern *.facebook.com

!

parameter-map type urlf-glob sitipermessi

pattern *

class-map type urlfilter match-any SocialNetwork

match  server-domain urlf-glob Facebook

class-map type urlfilter match-any sitipermessi

match  server-domain urlf-glob sitipermessi

policy-map type inspect urlfilter SocialNetwork

class type urlfilter SocialNetwork

  log

  reset

class type urlfilter sitipermessi

  allow

  log

policy-map type inspect sdm-inspect 

class type inspect sdm-protocol-http

  inspect

  service-policy urlfilter SocialNetwork

parameter-map type urlfpolicy local URLFilter

alert off

block-page message "pensa a lavorare"

All config:

!version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 $1$IB6R$j6N/yMvAKYcPG938ptQ890

!

no aaa new-model

!

!

dot11 syslog

ip source-route

!

!

!

!

ip cef

ip name-server 151.99.125.1

ip name-server 151.99.0.100

no ipv6 cef

!

multilink bundle-name authenticated

!

parameter-map type urlfpolicy local urlfilter

allow-mode on

block-page message "Vai a lavorare"

parameter-map type urlf-glob facebook

pattern facebook.com

pattern *.facebook.com

parameter-map type urlf-glob sitipermessi

pattern *

!

!

username XXXXXXXXX privilege 15 secret 5 $1$5CvV$tKNkXQ20QB7YMr5DOttMs0

username XXXXXXXXX privilege 15 secret 5 $1$39ld$8FnhLMJ/..TR2/Oo4.W2P0

!

!

!

archive

log config

  hidekeys

!

!

!

class-map type urlfilter match-any sitipermessi

match  server-domain urlf-glob sitipermessi

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type urlfilter match-any socialnetwork

match  server-domain urlf-glob facebook

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map type inspect urlfilter socialnetwork

class type urlfilter socialnetwork

  reset

class type urlfilter sitipermessi

  allow

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

  service-policy urlfilter socialnetwork

class class-default

  drop

policy-map type inspect sdm-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

!

!

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan2

description $FW_OUTSIDE$

ip address 10.10.3.41 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.3.2

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source list 1 interface Vlan2 overload

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 10.10.3.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end