09-17-2011 03:20 AM - edited 03-07-2019 02:17 AM
Dear Experts,
We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?
Attached is my running config.
Thanks for your help.
Samir
Solved! Go to Solution.
09-19-2011 02:20 PM
samirshaikh52 wrote:
Dear Experts,
We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?
Attached is my running config.
Thanks for your help.
Samir
This is not really a function you want your router doing - you'd normally use some form of proxy or web filter device to do this - but you could do it by writing an IP access list and applying it on your outbound traffic - something like this
access-list 150 deny tcp 192.168.16.0 255.255.255.0 68.175.23.124 255.255.255.255 eq www
access-list 150 permit ip any any
Then apply it to your dialer interface like this
interface dialer1
ip access-group 150 out
Trouble with this is you need to nslookup every web site you want to block to get its IP address, add a line to the access-list for every site you want to block, optionally add a line for *other* protocols (the line above will only stop WWW traffic, or traffic on port 80) and continually maintain the list - and if you put in a lot of entries you will add a fair overhead to the router in packet processing (access lists take CPU since every packet has to be matched against every line).
It'll work if you only have two or three sites you want to block, but if you have a lot of sites (100+), I'd seriously recommend trying to find some form of proxy/web filter (Squid and squidguard will work) to put between your router and your clients to do this filtering.
Cheers.
09-17-2011 12:51 PM
Any help would be highly appreciated.
09-19-2011 02:20 PM
samirshaikh52 wrote:
Dear Experts,
We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?
Attached is my running config.
Thanks for your help.
Samir
This is not really a function you want your router doing - you'd normally use some form of proxy or web filter device to do this - but you could do it by writing an IP access list and applying it on your outbound traffic - something like this
access-list 150 deny tcp 192.168.16.0 255.255.255.0 68.175.23.124 255.255.255.255 eq www
access-list 150 permit ip any any
Then apply it to your dialer interface like this
interface dialer1
ip access-group 150 out
Trouble with this is you need to nslookup every web site you want to block to get its IP address, add a line to the access-list for every site you want to block, optionally add a line for *other* protocols (the line above will only stop WWW traffic, or traffic on port 80) and continually maintain the list - and if you put in a lot of entries you will add a fair overhead to the router in packet processing (access lists take CPU since every packet has to be matched against every line).
It'll work if you only have two or three sites you want to block, but if you have a lot of sites (100+), I'd seriously recommend trying to find some form of proxy/web filter (Squid and squidguard will work) to put between your router and your clients to do this filtering.
Cheers.
09-20-2011 12:48 AM
Hi darren,
Thanks for your response. It really works. I've planned to block 10 sites.
Much appreciated.
Regard's
Samir.
09-20-2011 03:49 PM
samirshaikh52 wrote:
Hi darren,
Thanks for your response. It really works. I've planned to block 10 sites.
Much appreciated.
Regard's
Samir.
You're welcome. Glad I could help.
Cheers.
11-14-2011 02:11 PM
There may also be another option with zone base firewall where you can look for regex in URls as this can be complicated I would suggest you use the Cisco config professional tool.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide