Solved: You can use NBAR to block a

Addey Salameh · ‎05-11-2015

hi

i have a cisco c837 IOS version 12.4(15)T14

and I've applied an access-list that have all facebook IP addresses which i denied on e0 and every thing worked fine
then i noticed that if i manually changed the dns on any machine to some dns's facebook will work smoothly
why is that happening !!??

is there any method to shut facebook down completely

here is my access-list

ip access-list extended Block_Facebook
deny ip 192.168.1.0 0.0.0.255 173.252.100.16 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 173.252.64.0 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 31.13.24.0 0.0.7.255
deny ip 192.168.1.0 0.0.0.255 31.13.64.0 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 66.220.144.0 0.0.15.255
deny ip 192.168.1.0 0.0.0.255 69.63.176.0 0.0.15.255
deny ip 192.168.1.0 0.0.0.255 69.171.224.0 0.0.31.255
deny ip 192.168.1.0 0.0.0.255 74.119.76.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 103.4.96.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 204.15.20.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 173.252.70.0 0.0.0.255
permit udp any eq bootpc any eq bootps
permit ip 192.168.1.0 0.0.0.255 any

and on e0

ip access-group Block_Facebook in

Karsten Iwen · ‎05-11-2015

Different DNS-servers might return different IPs for the same FQDN. That could be for redundancy load-balancing or for serving request based on location.

On the PC that has a changed DNS-server, look to which addresses your request resolve and compare that to your ACL.

Perhaps there is a better approach:

Configure your router as the DNS-server for the internal LAN
Make sure that the internal PCs can only reach the router for DNS
configure the FQDNs that you want to block with an ip host statement for an internal address (or also try 127.0.0.1; I think on older IOS-versions that was allowed):

ip host www.facebook.com 10.10.10.10
! or
ip host www.facebook.com 127.0.0.1

View solution in original post

Karsten Iwen · ‎05-11-2015

Different DNS-servers might return different IPs for the same FQDN. That could be for redundancy load-balancing or for serving request based on location.

On the PC that has a changed DNS-server, look to which addresses your request resolve and compare that to your ACL.

Perhaps there is a better approach:

Configure your router as the DNS-server for the internal LAN
Make sure that the internal PCs can only reach the router for DNS
configure the FQDNs that you want to block with an ip host statement for an internal address (or also try 127.0.0.1; I think on older IOS-versions that was allowed):

ip host www.facebook.com 10.10.10.10
! or
ip host www.facebook.com 127.0.0.1

sean_evershed · ‎05-11-2015

You can use NBAR to block a website. See below an example.

It will work however only on HTTP sites and not HTTPS.

https://networklessons.com/quality-of-service/block-website-with-nbar-on-cisco-router/

Karsten Iwen · ‎05-11-2015

I don't think that Facebook is reachable through HTTP.

Bilal Nawaz · ‎05-11-2015

I think its possible with the 837, if you have advipservices you can drop the http packets to facebook using nbar option.

access-list 10 permit 192.168.1.0 0.0.0.255
!
class-map BlockSites
match protocol http url "*facebook*"
match access-group 10
!
policy-map BlockSites
class BlockSites
drop
!
Int e0
service-policy output BlockSites

Otherwise the alternative would be as Karsten mentioned which is a perfectly simple solution, put DNS locally so you have control on name resolution, and can subsequently black-hole packets.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

blocking facebook on cisco router