Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6426
Views
4
Helpful
0
Comments

IOS URL Filtering using Local List

Preshank Saxena
Cisco Employee
Cisco Employee

‎03-17-2012 05:26 PM - edited ‎03-08-2019 06:44 PM

This  article explains about a simple setup that can be used for  url-filtering on cisco routers with particular versions.Since, it is a  manual setup so customer need to keep it in mind that he needs to update  the website entries manually and entire setup works on regex matching  parameters. We'll be using the below mentioned topology for the setup:

Here, I'll be configuring url-filtering based on local  list. I'll be blocking facebook.com and youtube.com for the client  behind the router. However, the entire process is broken in two  different parts :

1.Configuring ZBF on router :

++Defining Zones on router :

zone security inside
zone security outside

++Defining interesting traffic on router :

class-map type inspect match-any HTTPTRAFFIC
match protocol http

class-map type inspect match-any InternalTraffic
match protocol dns
match protocol icmp
match protocol smtp
match protocol ftp
match protocol pop3
match protocol imap
match protocol imap3

++Defining policy-map to specify the action for interesting traffic :

policy-map type inspect IN_2_OUT

class type inspect HTTPTRAFFIC
  inspect
class type inspect InternalTraffic
  inspect

++Defining Zone-Pair and assigning interfaces to zones

zone-pair security IN_2_OUT source inside destination outside

service-policy type inspect IN_2_OUT

int fa0/0

zone-mem sec inside

int fa0/1

zone-mem sec outside

2.Configuring URL-Filtering :

++Defining regex for matching with request header

parameter-map type urlf-glob Facebook
pattern facebook.com
pattern *.facebook.com
pattern *.fb.com

parameter-map type urlf-glob Youtube
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob InternetAllowed
pattern *

class-map type urlfilter match-any VideoSites

match  server-domain urlf-glob Youtube

class-map type urlfilter match-any SocialNetwork

match  server-domain urlf-glob Facebook

class-map type urlfilter match-any InternetAllowed
match  server-domain urlf-glob InternetAllowed

++ Applying user-specific action to the matching layer7 traffic :

policy-map type inspect urlfilter URLFILTER
class type urlfilter SocialNetwork
  reset
  log
class type urlfilter VideoSites
  reset
  log
class type urlfilter InternetAllowed
  allow
  log

++ Applying layer7 inspection to traffic :

policy-map type inspect IN_2_OUT

class type inspect HTTPTRAFFIC
  inspect
  service-policy urlfilter URLFILTER

Now, if client tries to access www.facebook.com or www.youtube.com  the request would automatically be reset and user will get below  mentioned prompt.

Blocked.jpg


Above mentioned setup is only for a small setup and requires manual  updating. So, need cautious approach before suggesting to customer.  However, its always helpful for customers who do not want to opt for  trendmicro filtering and are good to go with trying local IOS filtering.

Reference for Command :

parameter-map type urlf-glob is introduced in 12.4(15)XZ and integrated in 12.4(20)T

parameter-map type urlfilter is introduced in 12.4(6)Tand removed in 12.4(15)XZ and it's hidden in some versions, we can also use parameter-map type urlfpolicy.

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents