Hi Raphael,

is this the enough or the config?

R0>en
R0#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0(config)#ip inspect name TEST http urlfilter
R0(config)#ip urlfilter allow-mode on
R0(config)#ip urlfilter exclusive-domain deny www.denyme.com
R0(config)#ip urlfilter audit-trail
R0(config)#interface FastEthernet0/0
R0(config-if)#ip inspect TEST out
R0(config-if)#end
R0#

or do I have to change something more?

Because If I try to reache "www.denyme.com " I can access.

Thank's for you anwser

Michael

Hi Michael,

That should be enough yes.

Make sure to configure "ip inspect TEST out" on all outside interface (facing the WAN), by default all other interfaces will be considered as inside.

-OR- to configure  "ip inspect TEST in" on all the inside interfaces facing the LAN and by default all other interfaces will be considered as outside.

Then the connections from inside to outside should be reset for the denied URL.

What is fast 0/0 used for? Where are your WAN and LAN interfaces?

Thanks,

Raphael

Hi Raphael,

thank's for your Herp - I had use the wrong interface!

But if I activat the url filter - I'm not able to conect to extern Terminal Servern. - Do I have to activat something more?

thank's

Michael

Hi Michael,

The above configuration should only match HTTP sessions, and with "audit-trail" on you should see a log for each failure attempt.

How do you connect to your Terminal Server?

Can you check the logs and "show ip inspect session details" just after a failure attempt? You could add this to have more logs, but don't forget to remove it later as this can be very chatty:

ip inspect audit-trail

ip urlfilter audit-trail

The firewall should not inspect anything else than HTTP, all other incoming traffic should pass, and with "ip urlfilter allow-mode on" all the http traffic that doesn't match the exclusive-domain rule will pass.

So if you remove all the interface configuration "ip inspect TEST out" only you confirm it's working fine?

You can maybe post a sample of your config for the firewall, something like show run | i inspect|url|interface  ?

HI Raohael,

this is my original config (with show run | i inspect|url|interface)

---

show run | i inspect|url|interface
ip inspect name FW appfw FW
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 pop3
interface Null0
interface FastEthernet0/0
interface FastEthernet0/1
ip inspect sdm_ins_out_100 out
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface ATM0/2/0
interface ATM0/2/0.1 point-to-point
interface BRI0/2/0
interface ATM0/3/0
interface BRI0/3/0
interface Vlan1
interface Dialer1
ip nat inside source static tcp 192.168.16.2 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.16.2 47 interface FastEthernet0/1 47
ip nat inside source static udp 172.16.1.11 3101 interface FastEthernet0/1 3101
ip nat inside source static tcp 192.168.16.2 1701 interface FastEthernet0/1 1701
ip nat inside source static tcp 192.168.16.2 51 interface FastEthernet0/1 51
ip nat inside source static tcp 172.16.1.21 18080 interface FastEthernet0/1 18080
ip nat inside source static tcp 172.16.1.15 8001 interface FastEthernet0/1 8001
ip nat inside source static tcp 172.16.1.3 443 interface FastEthernet0/1 443
ip nat inside source static tcp 172.16.1.3 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.1.15 21 interface FastEthernet0/1 21
ip nat inside source static tcp 172.16.1.15 20 interface FastEthernet0/1 20
ip nat inside source static tcp 172.16.1.15 8002 interface FastEthernet0/1 8002
ip nat inside source static tcp 172.16.1.21 25 interface FastEthernet0/1 25
ip nat inside source static tcp 172.16.1.24 8080 interface FastEthernet0/1 8080
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
---

and I would insert the following settings

conf t
ip inspect name TEST http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.dom1.de
ip urlfilter exclusive-domain deny www.dom2.de
ip urlfilter exclusive-domain deny www.dom3.de
ip urlfilter exclusive-domain deny www.dom4.de
ip urlfilter exclusive-domain deny www.dom5.de
ip urlfilter exclusive-domain deny *.dom1.de               --> is ist possible to usew wildcards?
ip urlfilter exclusive-domain deny *.dom2.de
ip urlfilter exclusive-domain deny *.dom3.de
ip urlfilter audit-trail
interface FastEthernet0/1
ip inspect TEST out
end

Looks like you already have some firewall configured there: FW, sdm_ins_in_100 and sdm_ins_out_100.

Only interface FastEthernet0/1 has sdm_ins_out_100 configured, so the others are just not in use. If you add that config above, you remove the firewall sdm_ins_out_100 and configure TEST firewall only instead.

With that said I'm not sure what this breaks your remote session, but you probably have an ACL configured in FastEthernet0/1 that denies incoming traffic and since you don't inspect udp and tcp with TEST, you never open a whole to let the returning traffic crossing back your router and the packets are dropped in that ACL. So, in a short what you should have is integrate the urlfiltering to the already existing firewall:

Hi Raphael,

thank you very muuch for your Help - this work!

One Question again:

Is it possible to forward the blokes sites to a "access denied" side?

Michael