02-28-2012 01:15 AM - edited 03-04-2019 03:27 PM
class-map match-any ONLINE_MOVIES
match protocol http host "www.moviesonline.ca"
match protocol http host "www.bestmovies.cc"
match access-group 190
policy-map DROP_ONLINE_MOVIES
class ONLINE_MOVIES
drop
access-list 190 permit tcp host 192.168.40.5 any eq www
interface FastEthernet0/0
description _WAN_INTERFACE_
service-policy output DROP_ONLINE_MOVIES
however all class 192.168.40.0 /24 is banned !!
Am I missing something ?
Solved! Go to Solution.
02-28-2012 07:09 AM
Hi,
cool
Don't forget to rate helpful posts and mark the thread as solved.
Regards.
Alain.
02-28-2012 02:30 AM
Hi,
so you want to deny this host to browse these 2 sites? if so then you can do this:
class-map match-any URLS
match protocol http host "www.moviesonline.ca"
match protocol http host "www.bestmovies.cc"
class-map ONLINE_MOVIES
match class-map URLS
match access-group 190
Regards.
Alain
02-28-2012 03:07 AM
class-map match-any URLS
match protocol http host "*moviesonline.ca"
match protocol http host "*bestmovies.cc"
class-map match-all ONLINE_MOVIES
match class-map URLS
match access-group 190
policy-map DROP_ONLINE_MOVIES
class ONLINE_MOVIES
drop
interface Fa0/0
description _WAN_INTERFACE_
service-policy output DROP_ONLINE_MOVIES
access-list 190 permit tcp host 192.168.40.5 any eq www
access-list 190 permit tcp host 192.168.40.203 any eq www
so... the policy doesn't seems to apply at all , i mean both IPs are able to browse the banned urls ...
02-28-2012 02:59 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
access-list 190 permit tcp host 192.168.40.5 any eq wwwhowever all class 192.168.40.0 /24 is banned !!
Could you clarify "all"? The ACL should only block all destination port 80 traffic from 192.168.40.5.
Perhaps Alain has guessed what you intended? If not, could you clarify what you want to accomplish?
PS:
To clarify part of Alain's posting:
class-map match-all ONLINE_MOVIES
match class-map URLS
match access-group 190
02-28-2012 03:12 AM
When I was refering to "all" I mean: 192.168.40.0/24 can not access those urls.
yes, the idea is to block access to those URLS only to specific _LAN hosts
Regarding my previous answer::
so i have to "translate" the policy as follow:
1.class urls
if any of url ==>MATCH
2.class online_movies
if any of urls AND IP1=192.168.40.5 AND IP2=192.168.40.203
or
if any of urls AND IP1=192.168.40.5 OR IP2=192.168.40.203
02-28-2012 03:54 AM
hi Florin,
can you please post the results of "sh policy-map interface fa0/0" here so that we can take a look
Rgds, Kishore
02-28-2012 04:02 AM
Hi,
this one:
if any of urls AND (IP1=192.168.40.5 OR IP2=192.168.40.203)
Regards.
Alain.
02-28-2012 04:17 AM
Core_R1#sh policy-map interface fa0/0
FastEthernet0/0
Service-policy output: DROP_ONLINE_MOVIES
Class-map: ONLINE_MOVIES (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: class-map match-any URLS
Match: protocol http host "www.moviesonline.ca"
144 packets, 13264 bytes
5 minute rate 0 bps
Match: protocol http host "www.bestmovies.cc"
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group 190
drop
and the full config of fa0/0
interface FastEthernet0/0
description _WAN_INTERFACE_
mac-address _MAC_
ip address _IP_
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy output DROP_ONLINE_MOVIES
02-28-2012 04:09 AM
Paste the following ouputs
show policy-map int f0/0
show run int f0/0
show ip int br | ex un
sh ver | in image
Let me know if there is any tunnel or vpn session going on f0/0 interface , as it will hide your orignial ip header info .
Let me know the physical layout from host to router .
02-28-2012 04:24 AM
I do have an OPENVPN server running behind the router on host 192.168.40.222
Core_R1#sh ver | in image
System image file is "flash:c2600-advipservicesk9-mz.124-25d.bin"
Core_R1#show run int f0/0
Building configuration...
Current configuration : 304 bytes
!
interface FastEthernet0/0
description _WAN_INTERFACE_
mac-address ____
ip address _____
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy output DROP_ONLINE_MOVIES
end
Core_R1#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 _IP_ YES NVRAM up up
FastEthernet0/1 _LAN_IP_ YES NVRAM up up
NETWORK LAYOUT::
HOSTS-->Cisco 2950-->CISCO 2651XM
02-28-2012 05:35 AM
Hi,
Can you try applying this policy inbound on the nat inside interface.
Regards.
Alain
02-28-2012 06:09 AM
interface FastEthernet0/1
description _LAN_INTERFACE_
service-policy input DROP_ONLINE_MOVIES
end
damn, it's working now
02-28-2012 07:09 AM
Hi,
cool
Don't forget to rate helpful posts and mark the thread as solved.
Regards.
Alain.
05-31-2012 09:02 AM
hello , i have this problem , i want to block some urls
this is my config , is only a example
class-map match-any URL
match protocol http host "www.taringa.net"
match access-group 190
!
!
policy-map DROP_TARINGA
class URL
drop
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip accounting output-packets
ip accounting precedence output
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside0_map
service-policy output DROP_TARINGA
this config, block all LAN ips , iths WORKING, but i want to allow some ips witout block this urls...
for example i want to permit the ips 184.1.150.100 - 110 to this url , but block all the subnet,
this is my access-list
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 200.36.125.129
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 184.1.2.0 255.255.255.0 200.36.125.129
!
ip access-list extended testcrypto
permit ip 184.1.150.0 0.0.0.255 128.1.0.0 0.0.255.255
permit ip 184.1.150.0 0.0.0.255 130.1.0.0 0.0.255.255
permit ip 184.1.150.0 0.0.0.255 184.1.1.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 184.1.2.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 184.1.3.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 192.168.160.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 192.168.63.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 184.1.5.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 192.168.165.0 0.0.0.255
permit ip 184.1.150.0 0.0.0.255 192.168.142.0 0.0.0.255
!
logging esm config
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 184.1.150.200
access-list 100 deny ip any host 184.1.150.201
access-list 100 deny ip any host 184.1.150.202
access-list 100 deny ip any host 184.1.150.203
access-list 100 deny ip any host 184.1.150.204
access-list 100 deny ip any host 184.1.150.205
access-list 100 deny ip any host 184.1.150.206
access-list 100 deny ip any host 184.1.150.207
access-list 100 deny ip any host 184.1.150.208
access-list 100 deny ip any host 184.1.150.209
access-list 100 deny ip any host 184.1.150.210
access-list 100 permit ip 10.1.10.0 0.0.0.3 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.1.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 128.1.0.0 0.0.255.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 130.1.0.0 0.0.255.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.2.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.3.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 184.1.4.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.63.0 0.0.0.255
access-list 189 deny ip 184.1.150.0 0.0.0.255 192.168.142.0 0.0.0.255
access-list 189 permit ip any any
access-list 190 deny tcp host 184.1.150.110 any eq www
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100 189
!
________________________________________________________
LAN interface
interface BVI1
ip address 184.1.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
________________________________________________________
WAN interface
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip accounting output-packets
ip accounting precedence output
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside0_map
service-policy output DROP_TARINGA
some , people , helpme please
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide