Solved: block certain websites from the router

samirshaikh52 · ‎09-17-2011

Dear Experts,

We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?

Attached is my running config.

Thanks for your help.

Samir

darren.g · ‎09-19-2011

samirshaikh52 wrote:

Dear Experts,

We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?

Attached is my running config.

Thanks for your help.

Samir

This is not really a function you want your router doing - you'd normally use some form of proxy or web filter device to do this - but you could do it by writing an IP access list and applying it on your outbound traffic - something like this

access-list 150 deny tcp 192.168.16.0 255.255.255.0 68.175.23.124 255.255.255.255 eq www

access-list 150 permit ip any any

Then apply it to your dialer interface like this

interface dialer1

ip access-group 150 out

Trouble with this is you need to nslookup every web site you want to block to get its IP address, add a line to the access-list for every site you want to block, optionally add a line for *other* protocols (the line above will only stop WWW traffic, or traffic on port 80) and continually maintain the list - and if you put in a lot of entries you will add a fair overhead to the router in packet processing (access lists take CPU since every packet has to be matched against every line).

It'll work if you only have two or three sites you want to block, but if you have a lot of sites (100+), I'd seriously recommend trying to find some form of proxy/web filter (Squid and squidguard will work) to put between your router and your clients to do this filtering.

Cheers.

View solution in original post

samirshaikh52 · ‎09-17-2011

Any help would be highly appreciated.

darren.g · ‎09-19-2011

samirshaikh52 wrote:

Dear Experts,

We had an adsl cisco 857 router. I want to block certain website from the router for our internt users. How can i accomplish this ?

Attached is my running config.

Thanks for your help.

Samir

This is not really a function you want your router doing - you'd normally use some form of proxy or web filter device to do this - but you could do it by writing an IP access list and applying it on your outbound traffic - something like this

access-list 150 deny tcp 192.168.16.0 255.255.255.0 68.175.23.124 255.255.255.255 eq www

access-list 150 permit ip any any

Then apply it to your dialer interface like this

interface dialer1

ip access-group 150 out

Trouble with this is you need to nslookup every web site you want to block to get its IP address, add a line to the access-list for every site you want to block, optionally add a line for *other* protocols (the line above will only stop WWW traffic, or traffic on port 80) and continually maintain the list - and if you put in a lot of entries you will add a fair overhead to the router in packet processing (access lists take CPU since every packet has to be matched against every line).

It'll work if you only have two or three sites you want to block, but if you have a lot of sites (100+), I'd seriously recommend trying to find some form of proxy/web filter (Squid and squidguard will work) to put between your router and your clients to do this filtering.

Cheers.

samirshaikh52 · ‎09-20-2011

Hi darren,

Thanks for your response. It really works. I've planned to block 10 sites.

Much appreciated.

Regard's

Samir.

darren.g · ‎09-20-2011

samirshaikh52 wrote:

Hi darren,

Thanks for your response. It really works. I've planned to block 10 sites.

Much appreciated.

Regard's

Samir.

You're welcome. Glad I could help.

Cheers.

richard.jackson · ‎11-14-2011

There may also be another option with zone base firewall where you can look for regex in URls as this can be complicated I would suggest you use the Cisco config professional tool.

Sent from Cisco Technical Support iPad App