Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
5
Replies

How to allow users access to some websites

ekpesinyang
Level 1
Level 1

‎01-19-2018 08:07 AM - edited ‎03-05-2019 09:48 AM

I have a client with a request that he wants some websites to be view on his network. 

 

Currently all access to www has been block with access list below:

 

!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 105.141.22.21
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 permit ip any host 105.141.28.243
access-list 102 permit ip any host 105.141.22.21
access-list 102 permit ip any host 188.125.80.144
access-list 102 permit ip any host 216.58.213.101
access-list 102 permit ip any host 8.8.8.8
access-list 102 permit ip any host 83.143.8.249
access-list 102 permit ip any host 83.143.8.220
!

 

websites Like : 

 

yahoo

gmail

gtbank

 

and many other sites should be allowed. 

 

Please advice me on the configuration. 

 

Thank You. 

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎01-19-2018 09:19 AM

Hello 

Require further information

acl 101 is for nat translations 

acl 102 is for ????? Where is this applied 

 

What is prohibiting url access  - acl - Fw ?

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎01-19-2018 10:48 AM

Hello,

 

URL filtering is usually configured to BLOCK access to certain websites. I am not sure if the below works. It is usually the other way round, you drop the class that matches the URL you want to block, and everything else goes through. I don't know if it works the other way round, to drop the default class. Give it a try:

 

class map match-any URL_ALLOW_CLASS
 match protocol http host "gmail.com"
 match protocol http host "gtbank.com"
 match protocol http host "yahoo.com"

!

policy-map URL_ALLLOW_POLICY
 class URL_ALLOW_CLASS
 class class-default
  drop

!

interface FastEthernet0/0

description LAN Interface
service-policy input URL_ALLOW_POLICY

0 Helpful

ekpesinyang
Level 1
Level 1
In response to Georg Pauwen

‎02-09-2018 04:45 AM

Hello George, 

 

I have tried your suggestions and it's not working. All sites are still browsing. I noticed that when i type and apply the drop command it will show

"Router(config-pmap-c)#drop
Drop cannot be configured in class-default" 

.......

 

My config details are found below: 

 

Router#sh run
Building configuration...

Current configuration : 1188 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool cisco
network 192.168.100.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.100.1
lease 0 0 1
!
!
!
!
!
class-map match-any URL_ALLOW_CLASS
!
!
policy-map URL_ALLOW_POLICY
class URL_ALLOW_CLASS
class class-default
!
!
!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.100.1 255.255.255.0
ip nat inside
duplex auto
speed auto
service-policy input URL_ALLOW_POLICY
!
interface Serial0/0/0
no ip address
shutdown
clockrate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ekpesinyang

‎02-09-2018 06:11 AM

A router is not a good platform for doing URL filtering. If the client really wants to selectively permit only certain web sites then the client should purchase a platform designed for URL filtering, like an ASA with FirePower.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Zain Khan
Level 1
Level 1

‎01-20-2018 04:13 AM

Hi,

 

there are two thing which you have clear when you apply ACL. 

1. the interface and the device on which you applying 

2. In/Out

my suggestion if you want to allow well known websites like Yahoo, Google and Facebook instead of premiting them deny those to whom you want to block. Also share the topology in order to understand your gateway.

 

because well known websites uses so many IPs if you will permit them the user can able to access the some more websites thru facebook and yahoo 


Zain Khan
https://www.linkedin.com/in/forzain/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card