Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
1
Replies

IOS Content filtering problem

tgregorics
Level 1
Level 1

‎12-18-2009 12:59 AM - edited ‎03-11-2019 09:50 AM

Hi,

I'm having trouble with ZFW and url filtering. If I set it up according to documentation it blocks every website, however if I remove the urlfilter from the policy, everything works.

Any ideas?

Here is my config:

parameter-map type urlfilter websense-parmap
exclusive-domain deny .aaaaa.xx
exclusive-domain deny .bbbbb.xx

exclusive-domain deny .ccccc.xx

exclusive-domain deny .ddddd.xx

exclusive-domain deny .eeeee.xx

class-map type inspect match-any SMTP_TRAFFIC
match protocol smtp
class-map type inspect match-any HTTP_TRAFFIC
match protocol http
class-map type inspect match-any class-router-to-outside
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-outside-to-router
match protocol isakmp
match protocol ipsec-msft
match access-group name PROT_ESP
class-map type inspect match-any class-inside-to-outside
match protocol https
match protocol ftp
match protocol imap
match protocol imaps
match protocol pop3
match protocol pop3s
match protocol pptp
match protocol dns
match protocol user-tcp-8005
match protocol user-tcp-21000
match protocol user-tcp-49600
match protocol ssh
match protocol ica
match protocol icmp
match protocol ntp
match protocol user-tcp-5910
match protocol user-tcp-4081
match protocol user-tcp-10010
match protocol user-tcp-2222
match protocol lotusnote
match protocol user-tcp-8080
match protocol user-tcp-1353
class-map type inspect match-any class-outside-to-inside
match protocol smtp
match protocol mysql
match protocol pptp
match protocol user-tcp-7711
match protocol user-tcp-5910
match protocol user-tcp-5911
match protocol user-tcp-4081
match protocol user-udp-5910
match protocol user-udp-5911
class-map type inspect match-any GRE_TRAFFIC
match access-group name PROT_GRE
class-map type inspect match-all SMTP_SERVER_TRAFFIC
match protocol smtp
match access-group 100

policy-map type inspect policy-router-to-outside
class type inspect class-router-to-outside
  inspect
class class-default
  pass
policy-map type inspect policy-outside-to-router
class type inspect class-outside-to-router
  pass
class class-default
  drop
policy-map type inspect policy-outside-to-inside
class type inspect GRE_TRAFFIC
  pass
class type inspect class-outside-to-inside
  inspect
class class-default
  drop
policy-map type inspect policy-inside-to-outside
class type inspect SMTP_SERVER_TRAFFIC
  inspect
class type inspect GRE_TRAFFIC
  pass
class type inspect class-inside-to-outside
  inspect
class type inspect HTTP_TRAFFIC
  inspect

  urlfilter websense-parmap
class class-default
  drop log
!
zone security inside
zone security outside
zone-pair security zp-outside-to-inside source outside destination inside
service-policy type inspect policy-outside-to-inside
zone-pair security zp-inside-to-outside source inside destination outside
service-policy type inspect policy-inside-to-outside
zone-pair security zp-router-to-outside source self destination outside
service-policy type inspect policy-router-to-outside
zone-pair security zp-outside-to-router source outside destination self
service-policy type inspect policy-outside-to-router

ip access-list extended PROT_ESP
permit esp any any
ip access-list extended PROT_GRE
permit gre any any

access-list 100 permit ip host 10.1.28.1 any

Labels:
0 Helpful
1 Reply 1

tgregorics
Level 1
Level 1

‎12-18-2009 05:21 AM

Figured it out.

"allow-mode on" was missing from my parameter map.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card