06-24-2011 06:21 AM - edited 03-11-2019 01:50 PM
Hi,
i have problem with local urlfiter (to block facebook) on cisco 877K9 .
My IOS is 124-24.T4 advipservices.
I have configured ZBF with SDM but I added via CLI the param of configuration for urlfilter.
Urlfilter does not work. Why?
I copied the conf of some people to work.
I'm going crazy
Configuration for local urlfilter
parameter-map type urlf-glob Facebook
pattern facebook.com
pattern *.facebook.com
!
parameter-map type urlf-glob sitipermessi
pattern *
class-map type urlfilter match-any SocialNetwork
match server-domain urlf-glob Facebook
class-map type urlfilter match-any sitipermessi
match server-domain urlf-glob sitipermessi
policy-map type inspect urlfilter SocialNetwork
class type urlfilter SocialNetwork
log
reset
class type urlfilter sitipermessi
allow
log
policy-map type inspect sdm-inspect
class type inspect sdm-protocol-http
inspect
service-policy urlfilter SocialNetwork
parameter-map type urlfpolicy local URLFilter
alert off
block-page message "pensa a lavorare"
All config:
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$IB6R$j6N/yMvAKYcPG938ptQ890
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 151.99.125.1
ip name-server 151.99.0.100
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy local urlfilter
allow-mode on
block-page message "Vai a lavorare"
parameter-map type urlf-glob facebook
pattern facebook.com
pattern *.facebook.com
parameter-map type urlf-glob sitipermessi
pattern *
!
!
username XXXXXXXXX privilege 15 secret 5 $1$5CvV$tKNkXQ20QB7YMr5DOttMs0
username XXXXXXXXX privilege 15 secret 5 $1$39ld$8FnhLMJ/..TR2/Oo4.W2P0
!
!
!
archive
log config
hidekeys
!
!
!
class-map type urlfilter match-any sitipermessi
match server-domain urlf-glob sitipermessi
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type urlfilter match-any socialnetwork
match server-domain urlf-glob facebook
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect urlfilter socialnetwork
class type urlfilter socialnetwork
reset
class type urlfilter sitipermessi
allow
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
service-policy urlfilter socialnetwork
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan2
description $FW_OUTSIDE$
ip address 10.10.3.41 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.3.2
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface Vlan2 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.3.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
06-24-2011 06:48 AM
Hey Franco,
Under Policy-map sdm-inspect, change the order of class maps. Class map "sdm-protocol-http" should be above class map "sdm-insp-traffic" for service policy "social network" to work.
Hope that helps!
Regards,
Aditya
06-24-2011 06:48 AM
Hey Franco,
Under Policy-map sdm-inspect, change the order of class maps. Class map "sdm-protocol-http" should be above class map "sdm-insp-traffic" for service policy "social network" to work.
Hope that helps!
Regards,
Aditya
06-24-2011 07:03 AM
You say that?
policy-map type inspect urlfilter socialnetwork
class type urlfilter socialnetwork
reset
class type urlfilter sitipermessi
allow
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy urlfilter socialnetwork
class class-default
drop
class type inspect sdm-insp-traffic
inspect
policy-map type inspect sdm-permit
class class-default
drop
06-24-2011 07:26 AM
Thx Aditya woks fine
Thank you very much
06-24-2011 08:31 AM
Franco,
I am glad to know that
Please mark this question as answered.
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide