ACL for url

divine007 · ‎01-31-2012

Hi all,

I wish to block some url that users have access through my LAN

Thats i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.

what i have in place is a cisco 2800 series routers,

Can someone help me out

Thanks

Latchum Naidu · ‎01-31-2012

Hi Divine,

I you have VLAN's in your LAN then you can define access-list like below and apply under the specific vlan.
First you need to get the websites IP's then use those in access-lists

ip access-list ext urlblock
deny tcp any host website-ip eq icmp
permit ip any any

Like wise you can put the number of website IP's in the same order. Now apply the access-list to specific vlan interface.

int vlan 10
ip address 192.168.1.10 255.255.255.0
ip access-group urlblock in

Hope the above clear and understand you. Please let us know if you have any doubts still.

Please rate all the helpfull posts.
Regards,
Naidu.

divine007 · ‎01-31-2012

Hi,

yes correct, but i have a problem of assembling all this sites

Can i have a help on this

Thanks

Latchum Naidu · ‎01-31-2012

****but i have a problem of assembling all this sites***

Can you please aloberate it?

What do you mean assembling all this sites?

If you want to block some of the sites you need to know those sites address like www.facebook.com and its IP is (69.171.229.11) if you try to ping the website address then you can get to know the IP belongs to that website, so you can write the access-list rule accordingly.

ip access-list ext urlblock

deny tcp any host 69.171.229.11 eq icmp

permit ip any any

Hope the above clear and understand you. Please let us know if you have any doubts still.

Please rate all the helpfull posts.
Regards,
Naidu.

ebarticel · ‎01-31-2012

Hi,

If you don't use pings to test connectivity outside your lan, you can change the ACL statement Naidu wrote to block all icmp

access-list 100 deny tcp any any eq icmp

access-list 100 permit ip any any

You can apply this ACL on the router's LAN interface

Example:

interface Fa0/0

ip access-group 100 in

Also check this article as well

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_filter.html#wp1045692

Hope this helps

Eugen

PS. other option is to use a proxy server and have all users in the LAN go through the proxy to the internet.

divine007 · ‎01-31-2012

Hi,

I understand, but you see there are alot of social network sites.

How can i assemble all if not the must of them

Thanks

Latchum Naidu · ‎01-31-2012

Hi Divine,

If you dont know all the social network sites to which you want block icmp then your options are...

1. You can start define the access-list with known websites, later on you can add if something notified by you.
2. Try to know your LAN network ranges like all other your business network, so that we can allow icmp to those networks and block rest of networks.
3. Block icmp completely from the respective vlan. It will block to everyone. This option you can choose when you no need to ping any other network (remember it will block only icmp rest of things will be work as it is)

Hope the above clear and understand you.

Please rate all the helpfull posts.
Regards,
Naidu.

viswamin · ‎01-31-2012

When you want to block multiple sites, use sequence numbers (in the same access list) and you can put multiple statements as suggested in the above post and apply this ACL in the appropriate interfaces.

ofcourse, you have to know the ip address of each of the destinations to block access to those sites.. I dont know if there is a better way of doing that w/o the ip address.

-Vijay