Url filtering issue with CBAC

mahesh18 · ‎04-21-2013

Hi Everyone,

I was trying Basic url filtering BY CBAC on router

using CBAC (Context-Based Access Control) :

!
ip inspect name WEBFILTER http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .yahoo.com
!
!
interface FastEthernet 0
   desc Internal
   ip inspect WEBFILTER out

where fa0 is interface of 1811w that connects to 3550.

My home setup is like this 1811w is wi fi router which has ospf to 3550 and 3550 has connection to edge router.

Edge router connects to ISP.

On edge router i used outgoing interface that connects to ISP modem.

I have config the above command on edge router but i am still able to access the yahoo.com.

i tried on 1811W router still able to access the yahoo.com

When i try on interface with out direction then i do not see any sis connections.

Need to know which device i should config url filtering and which interface and direction?

Thanks

Mahesh

Maykol Rojas · ‎04-21-2013

Mahesh,

If the Fa0 Is the one that connects to the internal network, then the direction needs to be in, which means that the GET packet from the client is getting inbound on that interface.

Change that and it should work.

https://supportforums.cisco.com/docs/DOC-20563

Mike Rojas.

Mike

mahesh18 · ‎04-21-2013

Hi Rojas,

I followed that link earlier and did my config from there.

Now changed interface direction to inside same thing.

Still able to access the yahoo.com.

Thanks

Mahesh

Maykol Rojas · ‎04-21-2013

Hi Mahesh,

So the clients are comming from the Fa0? Would you be able to post the following?

Show run | inc ip inspect

Show run inteface fa0

Mike Rojas.

Mike

mahesh18 · ‎04-21-2013

Hi,

Here is info

interface FastEthernet0

description IPSEC OSPF TO 3550A Interface Fas 0/8

ip address 192.168.99.1 255.255.255.0

ip inspect WEBFILTER in

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN_MAP

!

1811w# Show run | inc ip inspect

ip inspect name WEBFILTER http urlfilter

ip inspect WEBFILTER in

1811w#

Thanks

Mahesh

Maykol Rojas · ‎04-21-2013

Mahesh,

Can you try your website without the first dot? IE

ip urlfilter exclusive-domain deny yahoo.com

Let me know.

Mike

mahesh18 · ‎04-21-2013

Hi,

tried without same thing .

thanks

mahesh

Maykol Rojas · ‎04-21-2013

Mahesh,

Let me try it out with your config....ill update in 20 minutes.

Mike Rojas.

Mike

mahesh18 · ‎04-21-2013

Hi Maykol,

Will wait for your reply

thanks

Mahesh

Maykol Rojas · ‎04-21-2013

Hello Mahesh,

It does work for me.. Here is my config:

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip inspect WEB in

duplex auto

speed auto

ip urlfilter allow-mode on

ip urlfilter exclusive-domain deny yahoo.com

ip inspect name WEB http urlfilter

With this config, if you go to yahoo.com it would be blocked. Now, if you try, www.yahoo.com it goes through, if you try again, yahoo.com, it would go through based on how the browser behaves.

Have this same config, erase the cache on the web browser and try again.

Mike Rojas.

Mike

mahesh18 · ‎04-21-2013

Hi Mike,

I tried this few times no luck.

also when i do sh ip inspect sis output is blank.

thanks for all the help and trying this in your lab.

mahesh