Hello, I am Supplying Internet Connection to a company and i'm just recently added Firewall inside the
router in order to block access to certian urls and allow all other connections
The strange problem is
1. some sessions connection seem to be lost randomly, when downloading file from websites ,
or Download Complete appeares too soon and file is damaged
2. I'm looking for a better method to Allow all other connections and only block the Facebook and rapidshare websites
P.S - The router has ADSL wic Cards so theres 6 Dialers
configuration
parameter-map type urlf-glob blocked-sites
pattern *rapidshare*
pattern *.facebook.com
parameter-map type urlf-glob AllOtherTraffic
pattern *
!
class-map type inspect match-all If-http-and-not-Authorized
match protocol http
match access-group name URL_FILTERING
class-map type urlfilter match-any If-Permitted
match server-domain urlf-glob AllOtherTraffic
class-map type urlfilter match-any If-Blocked
match server-domain urlf-glob blocked-sites
class-map type inspect match-any Allow-all-Protocols
match access-group 1
!
!
policy-map type inspect urlfilter WebFilter-Policy
class type urlfilter If-Blocked
log
reset
class type urlfilter If-Permitted
allow
policy-map type inspect firewall-policy
class type inspect If-http-and-not-Authorized
inspect
service-policy urlfilter WebFilter-Policy
class type inspect Allow-all-Protocols
inspect
class class-default
pass
!
zone security zone_in
zone security zone_out
zone-pair security zp source zone_in destination zone_out
service-policy type inspect firewall-policy
!
!
interface GigabitEthernet0/0
description TO_LAN
no ip address
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex full
speed 1000
media-type sfp
no negotiation auto
!
interface GigabitEthernet0/0.150
encapsulation dot1Q 252
ip address 192.168.150.244 255.255.255.248
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security zone_in
ip tcp adjust-mss 1452
ip policy route-map HTTPS
!
interface ATM0/0/0
bandwidth 5120
no ip address
no atm ilmi-keepalive
pvc x/xx
pppoe-client dial-pool-number 1
!
interface ATM0/1/0
bandwidth 5120
no ip address
no atm ilmi-keepalive
pvc x/xx
pppoe-client dial-pool-number 2
!
interface ATM0/2/0
bandwidth 5120
no ip address
no atm ilmi-keepalive
pvc x/xx
pppoe-client dial-pool-number 3
!
interface ATM0/3/0
bandwidth 5120
no ip address
no atm ilmi-keepalive
pvc x/xx
pppoe-client dial-pool-number 4
!
!
interface Dialer1
bandwidth 5120
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly
zone-member security zone_out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxxx
!
interface Dialer2
bandwidth 5120
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly
zone-member security zone_out
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxxx
!
interface Dialer3
bandwidth 5120
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly
zone-member security zone_out
encapsulation ppp
dialer pool 3
dialer-group 3
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxxx
!
interface Dialer4
bandwidth 5120
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly
zone-member security zone_out
encapsulation ppp
dialer pool 4
dialer-group 4
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
ip http server
no ip http secure-server
!
ip nat inside source route-map adsl1 interface Dialer1 overload
ip nat inside source route-map adsl2 interface Dialer2 overload
ip nat inside source route-map adsl3 interface Dialer3 overload
ip nat inside source route-map adsl4 interface Dialer4 overload
!
ip access-list extended HTTPS
permit tcp any any eq 443
ip access-list extended URL_FILTERING
deny ip 192.168.10.0 0.0.0.255 any
permit ip any any
!
access-list 1 permit any
!
route-map adsl1 permit 10
match interface Dialer1
!
route-map adsl2 permit 10
match interface Dialer2
!
route-map adsl3 permit 10
match interface Dialer3
!
route-map adsl4 permit 10
match interface Dialer4
!
route-map HTTPS permit 10
match ip address HTTPS
set interface Dialer1
!
Please let me know what's wrong, and why it doesn't allow all unless i add
class-map type inspect match-any Allow-all-Protocols
match access-group 1
Thanks in Advance
Message was edited by: commteam100
