How to block websites using local content filtering on a 876 Router

Kai Onken · ‎11-03-2012

Hello,

I found an interesting manual at this forum for blocking websites whits local content filtering. After I've modified the variables to get more details, I stopped at on question. My current Problem is "zone-pair.

zone security Z-SECRUTIY-SOURCE

zone security Z-SECRUTIY-DESTINATION

zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

service-policy type inspect CM-INSPECT-TRAFFIC

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

interface dialer 0

zone-member security Z-SECRUTIY-DESTINATION

But after setting up this configuration, no Internet access is allowed anymore. Do I've a construction failure below or is my zone-pair incorecct?

I've attached the router configuration, but don't wonder, the configuration includes VPN access for iPhone.

The configuration which I've found here:

! Comment:

! This section specifies content filtering to be "local" on the IOS.

!

parameter-map type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE

alert off

block-page message "This webpage is blocked by the Network Admin."

! Comment:

! This section specifies content filtering pattern to match the desired site, like, facebook.

!

parameter-map type urlf-glob PM-URLF-GLOB-BLOCKED

pattern *.facebook.*

pattern *.twitter.*

! Comment:

! This section specifies content filtering pattern to match all the other sites, so that we can

! permit them later.

!

parameter-map type urlf-glob PM-URLF-GLOB-ALLOWED

pattern *

! Comment:

! This section specifies content filtering filter class to match the pattern that we created earlier.

!

class-map type urlfilter match-any CM-URLFILTER-BLOCKED

match server-domain urlf-glob PM-URLF-GLOB-BLOCKED

class-map type urlfilter match-any CM-URLFILTER-ALLOWED

match server-domain urlf-glob PM-URLF-GLOB-ALLOWED

! Comment:

! This section specifies the traffic that the Cisco IOS will inspect or match.

!

class-map type inspect match-any CM-DNS

match protocol dns

class-map type inspect match-any CM-HTTP

match protocol http

class-map match-all CM-SECURE-HTTPS

match protocol secure-http

class-map type inspect match-all CM-HTTPS

match protocol https

! Comment:

! This section specifies a policy map that will tie the filter classes and the action to be taken.

!

policy-map type inspect urlfilter PM-INSPECT-URLFILTER-BLOCKED

parameter type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE

class type urlfilter CM-URLFILTER-BLOCKED

log

reset

class type urlfilter CM-URLFILTER-ALLOWED

allow

! Comment:

! This section specifies the traffic class and its inspection.

!

policy-map type inspect CM-INSPECT-TRAFFIC

class type inspect CM-HTTP

inspect

service-policy urlfilter PM-INSPECT-URLFILTER-BLOCKED

class type inspect CM-DNS

inspect

class type inspect CM-HTTPS

inspect

class class-default

drop

! Comment:

! Zone creation

!

zone security Z-SECRUTIY-SOURCE

zone security Z-SECRUTIY-DESTINATION

! Comment:

! This section ties the inspection service policy to the zone-pair.

!

zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

service-policy type inspect CM-INSPECT-TRAFFIC

! Comment:

! assigning zone to VLAN 1, which provides the local Network

!

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

! Comment:

! assigning zone to dialer 0 which provides the WAN dialup

!

interface dialer 0

zone-member security Z-SECRUTIY-DESTINATION

Julio Carvajal · ‎11-03-2012

Hello Kai,

the ZBFW configuration example is good, I will need to check the configuration with the ZBFW setup to check what is wron on your deployment,

Also is the problem related just to connectivity problems from inside to the internet or from the VPN clients to inside?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kai Onken · ‎11-03-2012

Hello,

currently the problem exists from inside to the internet. I can't check the VPN because my iPhone is getting fixed.

And I think the zone-pair is the problem, I hope I've no other problem

Regards

Julio Carvajal · ‎11-03-2012

Hello Kai,

zone-pair security ZP-SECURITY Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION

service-policy type inspect CM-INSPECT-TRAFFIC

You are missing the keyword source in here ( I would say is a typo from your side)

interface vlan 1

zone-member security Z-SECRUTIY-SOURCE

interface vlan 1

zone-member security Z-SECRUTIY-DESTINATION

Why did you tried to assigned the same vlan to 2 different zones.

Can you share the configuration ( with the ZBFW setup) I think you write it wrong man

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kai Onken · ‎11-03-2012

Hello,

I'm sorry, this was a copy and paste failure at this discussion. I had just created the configuration at my notepad for this post. I've corrected the intertface for destination to dialer 0 and added the forgotten source world.

So, the problem still exists

Regards

Julio Carvajal · ‎11-03-2012

Hello Kai,

Okay got it,

Please share the entire configuration with the ZBFW on,

Add the following command:

ip inspect log drop-pck

Then try to connect to the internet and post:

-show logging

Then check if there are any firewall drops from the connection you are attempting:

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kai Onken · ‎11-04-2012

Hello,

I don't know why it is working now. (grrrrrr) I used the configuration 1 to 1 as I've posted above.

1. But, if I activate the ZBFW I'm not able to use icmp echo to the internet. Which I figured out with your ip inspec log drop-pck hint.

.Nov 4 07:18:24.297: %FW-6-DROP_PKT: Dropping icmp session 10.0.0.207:0 173.194.69.94:0 on zone-pair ZP-SECURITY class class-default due to DROP action found in policy-map with ip ident 0

.Nov 4 07:18:59.353: %FW-6-LOG_SUMMARY: 12 packets were dropped from 10.0.0.207:8 => 173.194.69.94:0 (target:class)-(ZP-SECURITY:class-default)

Will this solve the problem?

class-map match-all CM-ICMP

match protocol ICMP

2. Can I exclude IP-Address from getting checked by ZBFW?

3. Another problem I found is the access-list 101. When I set

interface dialer 0

ip access-group 101 in

Only ICMP is allowed and anything else is denied

Julio Carvajal · ‎11-04-2012

Hello Kai,

lol Interesting Glad it's working now

1) Yes, that will solve it. All you are missing is the stateful inspection for the ICMP protocol

2) Yes, but you will need to match that traffic with an ACL and then configure it on the top of the policy-map and instead of inspect it just pass it. ( You will need to do the same thing with the returning traffic as pass is not biderectional

3)The whole purpose of ZBFW is to be stateful, you do not need ACL's anymore, why would you use them??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC