Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
7
Replies

Creating Whitelist with MQC

petrutz_21
Level 1
Level 1

‎04-11-2013 12:26 AM - edited ‎03-04-2019 07:33 PM

Hi,

There is one client

192.168.1.10

and i want that this cklient to have web acces just on www.xxx.org and www.xxx.com and the others users have a web full access.

I have made this:

class-map match-any AUTHORIZED_URLS

match protocol http url "*.xxx.org"

match protocol http url " *.xxx.com"

ip access-list extended RESTRICTED_USERS

  permit tcp host 192.168.1.10 any eq www

class-map match-all USER_URLS

match access-group name RESTRICTED_USERS

match  not class AUTHORIZED_URL

policy-map URL_POLICY

class USER_URLS

drop

interface Vlan1

service-policy input URL_POLICY

The problem is that the client

192.168.1.10

doesn't have any web acces.

Where is the problem ?

Regards

Labels:
0 Helpful
7 Replies 7

Velimir Filipov
Level 1
Level 1

‎04-11-2013 01:04 AM

Inside the class AUTHORIZED_URLS try altering the syntax. I guess its using regex.

match protocol http url ".*\.xxx.org"

or

match protocol http url ".*\.xxx.org.*"

or

match protocol http url ".*xxx.org"

or just

match protocol http url "xxx.org"

and maybe try matching host not url, as actually host stands for the portion of the URL that responds to the actual hostname of the website, and URI stands for the actual resource your looking on the particular website.

0 Helpful

petrutz_21
Level 1
Level 1
In response to Velimir Filipov

‎04-11-2013 01:59 AM

I have tried all :

match protocol http url ".*\.xxx.org"

or

match protocol http url ".*\.xxx.org.*"

or

match protocol http url ".*xxx.org"

or just

match protocol http url "xxx.org"

and

match protocol http host ".*\.xxx.org"

or

match protocol http host ".*\.xxx.org.*"

or

match protocol http host ".*xxx.org"

or just

match protocol http host "xxx.org"

but still not working.

I don't have any web acces on my host 192.168.1.10.

0 Helpful

Velimir Filipov
Level 1
Level 1
In response to petrutz_21

‎04-11-2013 02:02 AM

Ok let me make some tests and I will get back to you in 2 hours or so.

0 Helpful

Velimir Filipov
Level 1
Level 1
In response to petrutz_21

‎04-11-2013 06:32 AM

Ok, sorry for the delay.

It seems its not regex. It's just the way you did it, only that as I supposed you need to match host not url.

So the right syntax would be:

match protocol http host "*.xxx.org"

match protocol http host "*.xxx.com"

also its probably best to drop the . also cus it could be open the website without www. infront, so "*xxx.org" and "*xxx.com" is the best thing you could go with.

Best regards.

0 Helpful

petrutz_21
Level 1
Level 1
In response to Velimir Filipov

‎04-11-2013 06:54 AM

class-map match-any AUTHORIZED_URLS

match protocol http host "facebook.com"

class-map match-all USER_URLS

match access-group name RESTRICTED_USERS

match  not class AUTHORIZED_URLS

!

!

policy-map URL_POLICY

class USER_URLS

drop

...

ip access-list extended RESTRICTED_USERS

permit tcp host 192.168.1.56 any eq www

interface Vlan1

service-policy input URL_POLICY

Still don't have any web access from 192.168.1.56. I'm tring to acces www.facebook.com and it doesen't work.

0 Helpful

Velimir Filipov
Level 1
Level 1
In response to petrutz_21

‎04-11-2013 07:07 AM

put * infront of facebook.com

0 Helpful

petrutz_21
Level 1
Level 1
In response to Velimir Filipov

‎04-16-2013 02:32 AM

Nop !! Not working !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card