Wow thanks for the timely response usually I have to wait a bit to get responses on the boards.

Anyways, I do have a zone based firewall configured, I will post my running config here.

I have inserted a <> to remove non important info in order to help isolate the problem

Building configuration...

Current configuration : 14685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Xior
!
boot-start-marker
boot-end-marker
!
<>
!
no aaa new-model
<>
!
crypto pki trustpoint TP-self-signed-1848013357
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1848013357
revocation-check none
rsakeypair TP-self-signed-1848013357
!
!
crypto pki certificate chain TP-self-signed-1848013357
certificate self-signed 01
<>
   quit
no ip source-route
!
!
!
ip dhcp pool ccp-pool1
<>
   client-identifier 0184.2b2b.4946.cb
!
!
ip cef
no ip bootp server
<>
!
!
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

!
!
object-group network allow
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.10 10.10.10.169
!
username elliott privilege 15 secret 5 $1$yqTr$PzTwtiSFYqaGaKziUxOsA0
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
<>
!
interface GigabitEthernet0
<>
!
interface wlan-ap0
<>
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
<>
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Async1
<>
!
interface Dialer0
<>
zone-member security out-zone
<>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit x.x.x.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark denyweb
access-list 101 remark CCP_ACL Category=1
dialer-list 1 protocol ip permit
no cdp run

!
!
control-plane
!
<>
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

The firewall is pretty simple and some help getting it configured would be greatly appreciated.

thanks again

elliott

I cannot seem to find a parameter map setting in the Cisco CP software. So how do I go about doing this through the IOS?

Hi Elliot,

Here is an example,

parameter-map type urlfilter http-filter

allow-mode on

  exclusive-domain deny google.com

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

class-map type inspect http-filter

match access-group 101

class-map type inspect internet-access

match access-group 102

policy-map type inspect in-out

class  http-filter

   inspect

    urlfilter

class internet-access

   inspect

zone security in-zone

zone security out-zone

zone-pair security source in-zone destination out-zone

service-policy type inspect in-out

With this configuration, the host 192.168.80.2 should not be able to access google.com, however, the rest of the people should be able to access it.

Sorry that I did not answer this faster, it has been a very rough week.

Cheers

Mike Rojas.

beautiful thank you so much, im going to throw this into my configuration into a couple of hours, I just needed to see the format.

thank you so much. im going to mark this thread as answered later tonight after my testing is complete.

its ok that you didnt answer sooner, i had many other things i had to take care of so its not a big deal.

thanks again

elliott

Hi Elliot

If anything happens just let me know, will be more than glad to help you out.

Mike Rojas.

Ive gotten the configuration you gave me into the router except for one portion of it.

policy-map type inspect in-out
class  http-filter
   inspect
    urlfilter

I was able to load

   policy-map type inspect in-out
      class  http-filter
      inspect

but when i try to add the command urlfilter the console gives me

    % Incomplete command.

I'm guessing this is where the actual filtering is done because the firewall is not filtering at this point.

   I also wanted to check that like other cisco services there is an implicit deny for things unspecified.

So if i configure the firewall as such :

     parameter-map type urlfilter http-filter
          allow-mode on
       exclusive-domain allow google.com

       exclusive-domain allow yahoo.com
       exclusive-domain allow hotmail.com
       exclusive-domain allow gmail.com

then all the other sites should be blocked right?

or do I have to use a wildcard and actually block along the lines of

     exclusive-domain deny *

after my allowances?

thanks again in advance

elliott

Hi Elliot,

Yes, sorry forgot one command there

policy-map type inspect in-out
class  http-filter
   inspect
    urlfilter http-filter

If you want to allow those sites:

       exclusive-domain allow yahoo.com
       exclusive-domain allow hotmail.com
       exclusive-domain allow gmail.com

On the parameter-map, instead of allow-mode on, put allow-mode off, that would block the rest of the sites that you are not specifying in the exclusive domain.

Let me know.

Mike

Ok I changed allow mode to off

but when I get into Router 9config-pmap-c) #

i tried

          urlf http-filter

%Protocol "http" not found in class-map

So should I change the name of the class-map filter?

I guess I'll try that and see how it goes

thanks again for your time.

elliott

edit*

this did not work either, I guess I am missing something somewhere else to get the %Protocol "http" not found in class-map

Hi Elliot,

I think I know what went wrong,

access-list 101 permit tcp host 192.168.10.2 any eq 80

access-list 102 permit ip any any

class-map type inspect match-all http-filter

match access-group 101

match protocol http

class-map type inspect internet-access

match access-group 102

policy-map type inspect in-out

class  http-filter

   inspect

    urlfilter http-filter

class internet-access

   inspect

Let me know.

Mike

Commands are in, but there is no filtering being done the specified IP

I'll post my updated sh ru with non-essential info being pulled out

parameter-map type urlfilter http-filter
exclusive-domain permit <***>
exclusive-domain permit 218.21.97.231
exclusive-domain permit 126.com
exclusive-domain permit <***>

!
parameter-map type urlfilter allowesites
!
!
object-group network allowac
range 10.10.10.170 10.10.10.200
!
object-group network limitnet
range 10.10.10.15 10.10.10.169
!
username <***>
!
archive
log config
  hidekeys
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all internet-access
match access-group 102
class-map type inspect match-all http-filter
match access-group 101
match protocol http
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any denyweb
match protocol http
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map denyweb
match access-group name limit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect in-out
class type inspect http-filter
  inspect
  urlfilter http-filter
class type inspect internet-access
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
interface FastEthernet0
<***>
!
interface FastEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
<***>
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp ***
ppp ***
ppp ***
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended limit
remark CCP_ACL Category=128
permit ip object-group limitnet any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit tcp host 10.10.10.15 0.0.0.169 255.255.255.0 eq www
access-list 101 permit tcp host 10.10.10.150 any eq www
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Really feels like we almost got it here

thanks again for all your help

elliott

GENIUS!!!!!!!!!

Marking this topic as answered.

You sir are a life saver.

You cured my 1 month headache

Hello Elliot,

Hehehehe, I am glad I was able to help.

Cheers!

Mike