cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

990
Views
0
Helpful
7
Replies
Kai Onken
Beginner

How to block websites using local content filtering on a 876 Router

Hello,

I found an interesting manual at this forum for blocking websites whits local content filtering. After I've modified the variables to get more details, I stopped at on question. My current Problem is "zone-pair.

zone security Z-SECRUTIY-SOURCE

zone security Z-SECRUTIY-DESTINATION

zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

service-policy type inspect CM-INSPECT-TRAFFIC

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

interface dialer 0

zone-member security Z-SECRUTIY-DESTINATION

But after setting up this configuration, no Internet access is allowed anymore. Do I've a construction failure below or is my zone-pair incorecct?

I've attached the router configuration, but don't wonder, the configuration includes VPN access for iPhone.

The configuration which I've found here:

! Comment:

! This section specifies content filtering to be "local" on the IOS.

!

parameter-map type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE

  alert off

  block-page message "This webpage is blocked by the Network Admin."

! Comment:

! This section specifies content filtering pattern to match the desired site, like, facebook.

!

parameter-map type urlf-glob PM-URLF-GLOB-BLOCKED

  pattern *.facebook.*

  pattern *.twitter.*

! Comment:

! This section specifies content filtering pattern to match all the other sites, so that we can

! permit them later.

!

parameter-map type urlf-glob PM-URLF-GLOB-ALLOWED

  pattern *

! Comment:

! This section specifies content filtering filter class to match the pattern that we created earlier.

!

class-map type urlfilter match-any CM-URLFILTER-BLOCKED

  match  server-domain urlf-glob PM-URLF-GLOB-BLOCKED

class-map type urlfilter match-any CM-URLFILTER-ALLOWED

  match  server-domain urlf-glob PM-URLF-GLOB-ALLOWED

! Comment:

! This section specifies the traffic that the Cisco IOS will inspect or match.

!

class-map type inspect match-any CM-DNS

  match protocol dns

class-map type inspect match-any CM-HTTP

  match protocol http

class-map match-all CM-SECURE-HTTPS

  match protocol secure-http

class-map type inspect match-all CM-HTTPS

  match protocol https

! Comment:

! This section specifies a policy map that will tie the filter classes and the action to be taken.

!

policy-map type inspect urlfilter PM-INSPECT-URLFILTER-BLOCKED

  parameter type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE

  class type urlfilter CM-URLFILTER-BLOCKED

   log

   reset

  class type urlfilter CM-URLFILTER-ALLOWED

   allow

! Comment:

! This section specifies the traffic class and its inspection.

!

policy-map type inspect CM-INSPECT-TRAFFIC

  class type inspect CM-HTTP

   inspect

   service-policy urlfilter PM-INSPECT-URLFILTER-BLOCKED

  class type inspect CM-DNS

   inspect

  class type inspect CM-HTTPS

   inspect

  class class-default

   drop

! Comment:

! Zone creation

!

zone security Z-SECRUTIY-SOURCE

zone security Z-SECRUTIY-DESTINATION

! Comment:

! This section ties the inspection service policy to the zone-pair.

!

zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

  service-policy type inspect CM-INSPECT-TRAFFIC

! Comment:

! assigning zone to VLAN 1, which provides the local Network

!

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

! Comment:

! assigning zone to dialer 0 which provides the WAN dialup

!

interface dialer 0

zone-member security Z-SECRUTIY-DESTINATION

7 REPLIES 7
Julio Carvajal
Advisor

Hello Kai,

the ZBFW configuration example is good, I will need to check the configuration with the ZBFW setup to check what is wron on your deployment,

Also is the problem related just to connectivity problems from inside to the internet or from the VPN clients to inside?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

currently the problem exists from inside to the internet. I can't check the VPN because my iPhone is getting fixed.

And I think the zone-pair is the problem, I hope I've no other problem

Regards

Hello Kai,

zone-pair security ZP-SECURITY Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

service-policy type inspect CM-INSPECT-TRAFFIC

You are missing the keyword source in here ( I would say is a typo from your side)

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

interface vlan 1

zone-member security Z-SECRUTIY-DESTINATION

Why did you tried to assigned the same vlan to 2 different zones.

Can you share the configuration ( with the ZBFW setup) I think you write it wrong man

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I'm sorry, this was a copy and paste failure at this discussion. I had just created the configuration at my notepad for this post. I've corrected the intertface for destination to dialer 0 and added the forgotten source world.

So, the problem still exists

Regards

Hello Kai,

Okay got it,

Please share the entire configuration with the ZBFW on,

Add the following command:

ip inspect log drop-pck

Then try to connect to the internet and post:

-show logging

Then check if there are any firewall drops from the connection you are attempting:

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I don't know why it is working now. (grrrrrr) I used the configuration 1 to 1 as I've posted above.

1.     But, if I activate the ZBFW I'm not able to use icmp echo to the internet. Which I figured out with your ip inspec log         drop-pck hint.

          .Nov  4 07:18:24.297: %FW-6-DROP_PKT: Dropping icmp session 10.0.0.207:0 173.194.69.94:0 on zone-pair           ZP-SECURITY class class-default due to  DROP action found in policy-map with ip ident 0

          .Nov  4 07:18:59.353: %FW-6-LOG_SUMMARY: 12 packets were dropped from 10.0.0.207:8 => 173.194.69.94:0           (target:class)-(ZP-SECURITY:class-default)

     Will this solve the problem?

class-map match-all CM-ICMP

  match protocol ICMP

2.     Can I exclude IP-Address from getting checked by ZBFW?

3.     Another problem I found is the access-list 101. When I set

interface dialer 0

  ip access-group 101 in

          Only ICMP is allowed and anything else is denied

Hello Kai,

lol Interesting  Glad it's working now

1) Yes, that will solve it. All you are missing is the stateful inspection for the ICMP protocol

2) Yes, but you will need to match that traffic with an ACL and then configure it on the top of the policy-map and instead of inspect it just pass it. ( You will need to do the same thing with the returning traffic as pass is not biderectional

3)The whole purpose of ZBFW is to be stateful, you do not need ACL's anymore, why would you use them??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Create
Recognize Your Peers
Content for Community-Ad