12-13-2012 02:20 AM - edited 03-04-2019 06:23 PM
Hi,
I have a Router 2801
What conf should i make to allow access for a specific hosts from the lan just to a few websites.
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp excluded-address 192.168.1.192 192.168.1.254
!
ip dhcp pool xxx
network 192.168.1.0 255.255.255.0
domain-name xxx.com
default-router 192.168.1.1
dns-server 193.226.128.1 193.226.128.129
lease 20
!
!
ip domain name xxx.com
ip name-server 95.77.94.77
ip name-server 213.154.124.1
ip name-server 193.231.252.1
ip name-server 78.96.7.7
!
interface FastEthernet0/0
description isp1
ip address xxx.xxx.xxx.118 255.255.255.128
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description isp2
ip address xxx.xxx.xxx.206 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
description xxx
ip address 192.168.1.1 255.255.255.0
ip nat inside
rate-limit output access-group 101 8000000 3000000 7000000 conform-action transmit exceed-action drop
rate-limit output access-group 102 8000000 3000000 7000000 conform-action transmit exceed-action drop
!
ip route 0.0.0.0 0.0.0.0 isp1
ip route 0.0.0.0 0.0.0.0 isp2 10
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.222 80 interface FastEthernet0/0 8080
ip nat inside source route-map isp2 interface FastEthernet0/1 overload
ip nat inside source route-map isp1 interface FastEthernet0/0 overload
!
ip access-list extended BLOCK_PORTS
deny tcp any eq smtp any
permit ip any any
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any eq www 192.168.1.64 0.0.0.63
access-list 102 permit tcp any eq www 192.168.1.128 0.0.0.63
route-map isp2 permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map isp1 permit 10
match ip address 100
match interface FastEthernet0/0
!
The IOS is:
1. Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(16b), RELEASE S
OFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 20-Dec-07 03:43 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "flash:c2801-ipbase-mz.124-16b.bin"
Cisco 2801 (revision 7.0) with 114688K/16384K bytes of memory.
Processor board ID FCZ123212X3
6 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
I know that i shoul try with acl but what if the websites ip is changing ?
Thanks.
Regards,
Petru
12-13-2012 03:51 AM
Try something like this. It only allows the Internal hosts listed access to the Whitelist Public IPs, but then allows all other hosts access to everything else. Maybe a bit over complicated for your requirement - but it's a starting point.
Internal Hosts White List internet access only
192.168.1.20
192.168.1.21
White Listed External Website IPs
1.1.1.1
2.2.2.2
3.3.3.3
ip access-list extended www-white-list
permit tcp 192.168.1.20 0.0.0.3 host 1.1.1.1 eq 80
permit tcp 192.168.1.20 0.0.0.3 host 1.1.1.1 eq 443
permit tcp 192.168.1.20 0.0.0.3 host 2.2.2.2 eq 80
permit tcp 192.168.1.20 0.0.0.3 host 2.2.2.2 eq 443
permit tcp 192.168.1.20 0.0.0.3 host 3.3.3.3 eq 80
permit tcp 192.168.1.20 0.0.0.3 host 3.3.3.3 eq 443
deny tcp 192.168.1.20 0.0.0.3 any
permit ip any any
!
interface Vlan1
ip access-group www-white-list in
Regards
Stephen
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
12-13-2012 04:09 AM
Hi,
if these are http then you can use NBAR + MQC to achieve your goal:
I suppose 192.168.1.1 and 192.168.1.10 can only go to www.xxx.org and www.xxx.com, all others can go everywhere.
This should be working:
class-map match-any AUTHORIZED_URLS
match protocol http url "*.xxx.org"
match protocol http url " *.xxx.com"
ip access-list extended RESTRICTED_USERS
permit tcp host 192.168.1.1 any eq www
permit tcp host 192.168.1.10 any eq www
class-map match-all USER_URLS
match access-group name RESTRICTED_USERS
match not class AUTHORIZED_URL
policy-map URL_POLICY
class USER_URLS
drop
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide