Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2804
Views
0
Helpful
2
Replies

Router Cisco 2801 Whitelist

petrutz_21
Level 1
Level 1

‎12-13-2012 02:20 AM - edited ‎03-04-2019 06:23 PM

Hi,

I have a Router 2801

What conf should i make to allow access for a specific hosts from the lan just to a few websites.

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.63

ip dhcp excluded-address 192.168.1.192 192.168.1.254

!

ip dhcp pool xxx

   network 192.168.1.0 255.255.255.0

   domain-name xxx.com

   default-router 192.168.1.1

   dns-server 193.226.128.1 193.226.128.129

   lease 20

!

!

ip domain name xxx.com

ip name-server 95.77.94.77

ip name-server 213.154.124.1

ip name-server 193.231.252.1

ip name-server 78.96.7.7

!

interface FastEthernet0/0

description isp1

ip address xxx.xxx.xxx.118 255.255.255.128

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description isp2

ip address xxx.xxx.xxx.206 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Vlan1

description xxx

ip address 192.168.1.1 255.255.255.0

ip nat inside

rate-limit output access-group 101 8000000 3000000 7000000 conform-action transmit exceed-action drop

rate-limit output access-group 102 8000000 3000000 7000000 conform-action transmit exceed-action drop

!

ip route 0.0.0.0 0.0.0.0 isp1

ip route 0.0.0.0 0.0.0.0 isp2 10

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 192.168.1.222 80 interface FastEthernet0/0 8080

ip nat inside source route-map isp2 interface FastEthernet0/1 overload

ip nat inside source route-map isp1 interface FastEthernet0/0 overload

!

ip access-list extended BLOCK_PORTS

deny   tcp any eq smtp any

permit ip any any

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit tcp any eq www 192.168.1.64 0.0.0.63

access-list 102 permit tcp any eq www 192.168.1.128 0.0.0.63

route-map isp2 permit 10

match ip address 100

match interface FastEthernet0/1

!

route-map isp1 permit 10

match ip address 100

match interface FastEthernet0/0

!

The IOS is:

1. Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(16b), RELEASE S

OFTWARE (fc3)

Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Thu 20-Dec-07 03:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

System returned to ROM by power-on

System image file is "flash:c2801-ipbase-mz.124-16b.bin"

Cisco 2801 (revision 7.0) with 114688K/16384K bytes of memory.

Processor board ID FCZ123212X3

6 FastEthernet interfaces

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

I know that i shoul try with acl but what if the websites ip is changing ?

Thanks.

Regards,

Petru

Labels:
0 Helpful
2 Replies 2

stephen.stack
Level 4
Level 4

‎12-13-2012 03:51 AM

Try something like this. It only allows the Internal hosts listed access to the Whitelist Public IPs, but then allows all other hosts access to everything else. Maybe a bit over complicated for your requirement - but it's a starting point.

Internal Hosts White List internet access only

192.168.1.20

192.168.1.21

White Listed External Website IPs

1.1.1.1

2.2.2.2

3.3.3.3

ip access-list extended www-white-list

permit tcp 192.168.1.20 0.0.0.3 host 1.1.1.1 eq 80

permit tcp 192.168.1.20 0.0.0.3 host 1.1.1.1 eq 443

permit tcp 192.168.1.20 0.0.0.3 host 2.2.2.2 eq 80

permit tcp 192.168.1.20 0.0.0.3 host 2.2.2.2 eq 443

permit tcp 192.168.1.20 0.0.0.3 host 3.3.3.3 eq 80

permit tcp 192.168.1.20 0.0.0.3 host 3.3.3.3 eq 443

deny tcp 192.168.1.20 0.0.0.3 any

permit ip any any

!

interface Vlan1

ip access-group www-white-list in

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎12-13-2012 04:09 AM

Hi,

if these are http then you can use NBAR + MQC to achieve your goal:

I suppose 192.168.1.1 and 192.168.1.10 can only go to www.xxx.org and www.xxx.com, all others can go everywhere.

This should be working:

class-map match-any AUTHORIZED_URLS

match protocol http url "*.xxx.org"

match protocol http url " *.xxx.com"

ip access-list extended RESTRICTED_USERS

  permit tcp host 192.168.1.1 any eq www

  permit tcp host 192.168.1.10 any eq www

class-map match-all USER_URLS

match access-group name RESTRICTED_USERS

match  not class AUTHORIZED_URL

policy-map URL_POLICY

class USER_URLS

drop

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card