Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1799
Views
0
Helpful
16
Replies

HOW to block websites

Go to solution
WEERAKOO69BA
Level 1
Level 1

ā€Ž10-25-2013 01:03 AM - edited ā€Ž03-11-2019 07:56 PM

Dear  all,

I am using 1841 router(Version 12.4(13r)T) and configured as a ZBF as follwos,as you all have told me.My idea is to block unwanted sites like facebook.This router is not yet connected.

Current configuration : 1076 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
parameter-map type regex DENY_SITES
pattern .*facebook.com

!
!
!
!
archive
log config
  hidekeys
!
!
!
!
!
class-map type inspect http match-all CLASS_DENY_SITES
match  request header host regex DENY_SITES
!
!
policy-map type inspect http POLICY_DENY_SITES
class type inspect http CLASS_DENY_SITES
  reset
class class-default
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
!
!
!
interface FastEthernet0/0
no ip address
zone-member security INSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
zone-member security OUTSIDE
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!

But when I try to apply policy on zoon-pair,I am getting the following error.

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Why it is not allow to apply policies.Pls help me at your earliest....

Thank you

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-25-2013 10:26 AM

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match  request header host regex DENY_SITES

!

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

  reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES


zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-25-2013 01:13 PM

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-27-2013 10:30 AM

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched  to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
16 Replies 16

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž10-25-2013 06:55 AM

Hello,

As already answer you personally the problem is you are attaching a L7 policy to the service-policy.

Only L4 policies are supported on the service-policy.

What to do :

Create a L4 policy, set the L7 into that L4 and then attached the L4 into the service-policy

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-25-2013 10:21 AM

Highly appriciate your answer...thank you very much...

You mean ZBFW doesn't support L7 policies???

Could yu kindly show me how to do this...very sorry for my poor undersatnding...

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-25-2013 10:26 AM

Hello,

No problem

It does supported but you cannot apply it directly to the Service-Policy

class-map type inspect http match-all CLASS_DENY_SITES

match  request header host regex DENY_SITES

!

!

policy-map type inspect http POLICY_DENY_SITES

class type inspect http CLASS_DENY_SITES

  reset

class-map type inspect HTTP_123

match protocol HTTP

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES


zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect HTTP_123

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-25-2013 11:49 AM

Hi,

Thank you very much for the reply.

I have done the configuration as you have instructed.But I am still getting the same message.

policy-map type inspect HTTP_123

class HTTP_123

inspect

service-policy POLICY_DENY_SITES

Router(config-sec-zone-pair)#service-policy type inspect POLICY_DENY_SITES

Inspect service-policy attachment failed

Should it be as follows????

Router(config-sec-zone-pair)#service-policy type inspect HTTP_123 ???????

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-25-2013 01:13 PM

Yeah

I just updated the previous post!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-26-2013 12:02 AM

Thank you verymuch for your help.I will apply this in the production env and check.Hope i can block unwanted sites in same manner.So I appriciate your quick response and rated....

Have good day

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-26-2013 12:10 AM

Hello,

It is a pleasure to help,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-27-2013 09:58 AM

Hi,

I have tried to block facebook today in the same way i have mentioned above .But didn't workout.That means regex  method doesn't work???Can you give me anyother method??

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-27-2013 10:02 AM

Hello,

Is the traffic going via HTTP or HTTPS, cause remember HTTPs cannot be blocked with this method as traffic goes encrypted.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-27-2013 10:16 AM

HI,

Tried http trffick aslo,but didn't work.What is the other method you can recomend me?acces-list??

(ZBFW-inside inteface connected to the TMG server.outside--ISP,can't block frm the TMG atleast??)

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-27-2013 10:30 AM

No,

That's the only method available to block HTTP websites using the local database, otherwise you should get a content engine.

You sure the site is not being switched  to HTTPS? try with a different site (Youtube for example or anyone that commes into ur mind)

Note: Share the latest config please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-27-2013 10:43 AM

Yes you are correct...this is switching to https..

But my question is I just tried to block yahoo.com in this manner..didn't work.

You mean if it is https...we can't block  using even ASA????

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to WEERAKOO69BA

ā€Ž10-27-2013 10:47 AM

Hello,

No, it will not work because we are matching the header host value on the packet and with HTTPs that goes encrypted and the device will not be able to understand it.

Now with an ASA I have match the DNS requests looking for facebook.com so I block the DNS request, with no Resolution I will not be able to go to facebook unless I know the IP address which is highly unlekilly but at sometime it could happen.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
WEERAKOO69BA
Level 1
Level 1
In response to Julio Carvajal

ā€Ž10-27-2013 10:53 AM

Thx Julio....

So colclusion is ..if it is https...it is not able to block from ZBFW??But if it is http..can block in the above manner??

Pls corret me if I am wrong..

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card