URL Filtering on Cisco Router

samirshaikh52 · ‎12-14-2013

Hello ,

I have configured our Cisco Router to filter URL's that is to allow only specific URL's and block other website. I have got 2 question this context

- How I can apply it only for some specific users ? Meaning for some users I want to give the full access

- I have noticed its filtering HTTPS websites ? How I can deny https websites

This my router config

R2#sh running-config

Building configuration...

Current configuration : 2460 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

no ip icmp rate-limit unreachable

ip cef

ip tcp synwait-time 5

!

ip inspect name cbac-filter http urlfilter

ip inspect name cbac-filter https

!

no ip domain lookup

ip urlfilter exclusive-domain permit .youtube.com

ip urlfilter exclusive-domain permit .facebook.com

ip urlfilter exclusive-domain permit .dailymotion.com

!

username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.150.100 255.255.255.0

ip inspect cbac-filter in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.2

no ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 permit ip 192.168.150.0 0.0.0.255 any

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

TIA and Best Regards

Julio Carvajal · ‎12-14-2013

Hello,

When you say Specific users do you mean based on Active Directory users for example??? Or you are talking about IP addresses???

Now related to the HTTPS, you will need an external device to make it happen that acts as a SSL Gateway such as ScanSafe,IronPort, Websense, Trend Micro, etc.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎12-14-2013

Hello,

I mean IP addresses. Its an small office I dont want to add proxy server. Please help me to achieve with router.

Thanks

Julio Carvajal · ‎12-14-2013

Hello,

Oh wait a minute, did I just saw a CBAC Config.. Then my advise is migrate to ZBFW so you can accomplish this bud.

As you can see CBAC is way NOT flexible.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎12-14-2013

Please can you help with config

I have Cisco Router Cisco 2921 IOS version

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M3, REL

EASE SOFTWARE (fc2)

Thanks

Julio Carvajal · ‎12-14-2013

Hi,

With CBAC you cannot do the specific filtering for certain users.

and for the HTTPS you need an external HTTPS Proxy buddy.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

samirshaikh52 · ‎12-14-2013

Pleaes help me to achieve to through ZBFW

Leo Laohoo · ‎12-14-2013

How I can apply it only for some specific users ? Meaning for some users I want to give the full access

I think you need to look into proxy servers.