Solved: Re: Allow hotmail and yahoo and block other http traffic

m.athif · ‎03-22-2004

Hi,

Since we do not have an URL filtering device, we intend to do this on a cisco 1721 router.

We need to allow only hotmail.com and yahoo.com and block other http traffic entering this router. Interface E0 is the input interface and F0 is the output interface connected to the internet. We also have implemented NAT on this router.

The problem is all the http traffic is getting blocked including hotmail and yahoo . Please let me know where am I going wrong , the configuration is attached.

videocon#sh run

Building configuration...

Current configuration : 1355 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname videocon

!

logging queue-limit 100

enable secret ******

enable password ****

!

ip subnet-zero

!

ip name-server 202.x.x.5

!

ip cef

ip multicast-routing

!

class-map match-any permit

match protocol http host "hotmail*"

match protocol http host "yahoo*"

match protocol http host "msn*"

class-map match-any block

match protocol http host "*"

!

policy-map deny-unwanted-httptraffic

class permit

class block

police cir 1000000 bc 31250 be 31250

conform-action drop

exceed-action drop

violate-action drop

!

interface Ethernet0

ip address 192.168.1.24 255.255.255.0

ip nat inside

full-duplex

service policy-map input deny-unwanted-httptraffic

!

interface FastEthernet0

ip address 202.56.x.x.x.255.240

ip nat outside

speed auto

!

ip nat pool vdocon 203.145.x.x.x.162.104 netmask 255.255.255.0

ip nat inside source list 1 pool vdocon overload

ip classless

ip route 0.0.0.0 0.0.0.0 202.56.253.181

ip route 172.26.0.0 255.255.0.0 192.168.1.201

ip route 192.168.51.0 255.255.255.0 192.168.1.113

no ip http server

!

access-list 1 permit 172.26.0.0 0.0.255.255

!

line con 0

line aux 0

line vty 0 4

password ****

login

!

no scheduler allocate

end

tomanderin · ‎04-18-2004

you may want try using the match "not" syntax when setting up the class maps

not tested but poss something like

class-map match-any PERMIT-URL

match protocol http host "*yahoo*"

match protocol http host "*hotmail*"

class-map match-all DENY-URL

match protocol http host "**"

class-map match-all URL-TRAFFIC

match not class-map PERMIT-URL

match class-map DENY-URL

View solution in original post

keith.campbell · ‎03-22-2004

you have your police statement set to drop all traffic.... conforming to the limits, exceeding the limits and violating the limits.

If you set the confirm action to transmit instead of drop you may see some traffic. Also, should this not be on your outside interface rather than your inside interface (stop the traffic as close to the source as possible) ?

best of luck !

m.athif · ‎03-23-2004

Hi,

If we make the confirm action to transmit then whole traffic will pass through. As I mentioned we need to allow only hotmail and yahoo and block other http traffic.

As you can see in the configuration we have police statement on "class block" so that the other traffic apart from hotmail and yahoo gets blocked.

I tried your suggestion but does not help. Please let me know if you have any other idea.

Thanks

keith.campbell · ‎03-26-2004

How about ;

class-map match-any permit

match protocol http host "hotmail*"

match protocol http host "yahoo*"

!

policy-map mark-inbound-http

class permit

set ip dscp 1

!

interface FastEther0

service policy input mark-inbound-http

!

access-list 101 permit ip any any dscp 1 log

!

! Apply it outbound on the 'inside' interface where the target web servers are.

!

interface Ehernet0

ip access-group 101 out

!

I will give it a try in the lab.

Keith

>>>>

Dear Keith,

Thanks for your prompt reply and suggestion. I tried your new configuration but it is still not working, whole traffic is getting blocked. I could see that there are no matches to access-list 101 for dscp 1, where as there were matches for the deny statement.

access-list 101 permit ip any any dscp 1 log

access-list 101 deny ip any any log ( 238 )

Infact I tried this configuration earlier but it did not work, hence i tried the other option of police statement but no luck. Can you please try this scenario in the lab and let me know your feedback.

Thanks in advance

Regards

Athif

>>>>>>>>>>>

Sorry Athif,

I have not had a chance to put it into the lab and will not get a chance until Sunday or Monday.

Sounds as if you have been through this already, but you could try using a different tagging method rather than dcsp to see if that works.... that's what I will do when I get the chance.

best of luck,

Keith

m.athif · ‎04-12-2004

Hi,

Can anyone help me on this ?

rabeder · ‎04-14-2004

hi,

try to configure "ip nbar protocol-discovery" on the ethernet where you want to match.

i had the same problem with matching rtp-traffic

m.athif · ‎04-15-2004

Hi,

Tried this, but still I am not able to see any matches on dscp 1 .

jamey · ‎04-15-2004

Just a thought, but would it help to put a leading * in the match like this:

class-map match-any permit

match protocol http host "*hotmail*"

match protocol http host "*yahoo*"

match protocol http host "*msn*"

m.athif · ‎04-16-2004

I tried

match protocol http host "*"

but still there are no matches, but I have seen an observation when I give the command " sh policy-map int e0" command I could see some matches for a day around 100 or so.. but I think it is only syn packets and not the traffic..but overall when I see the instantaneous status of the matches " sh access-list 101 " I do not see any match on dscp 1..some occassions 5 matches max. but the whole traffic is getting blocked.

tomanderin · ‎04-18-2004

you may want try using the match "not" syntax when setting up the class maps

not tested but poss something like

class-map match-any PERMIT-URL

match protocol http host "*yahoo*"

match protocol http host "*hotmail*"

class-map match-all DENY-URL

match protocol http host "**"

class-map match-all URL-TRAFFIC

match not class-map PERMIT-URL

match class-map DENY-URL

m.athif · ‎04-19-2004

Hi,

It has worked , thanks a lot