Cisco Community
English
Register
New community login process starting July 13 - LEARN MORE HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1866
Views
0
Helpful
1
Replies
jack
Beginner
Beginner
‎01-27-2011 08:32 AM
‎01-27-2011 08:32 AM

Cisco 861 - Access Lists - Host Based Whitelist

My goal is to configure Cisco IOS to act as a filter for what website destinations will and will not be accessible by internal clients.

The problem is that when entering an extended access list using a hostname you get the following:

CZX800#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CZX800(config)#ip access-list extended WHITELIST
CZX800(config-ext-nacl)#permit ip 10.200.200.0 0.0.0.255 host www.mysimon.com
Translating "www.mysimon.com"...domain server (255.255.255.255) [OK]

DNS translates the name to an IP Address.

Then, if I show my config, you can see the following lines:

ip access-list extended WHITELIST
permit ip 10.200.200.0 0.0.0.255 host 64.30.224.38

IOS converted the hostname to a permanent static IP

The problem is that many websites have changing IP addresses, especially those of large national businesses.  If the IP address were to change, the above ACL would not allow access to their website.

I have several clients who do not want open internet access at certain sites (an increasing trend), but they want the users to have access to a specified list of resources on the internet.  I also have a client who has asked me to implement parental control, so that by default only certain websites would be accessible from a specified VLAN, while on other VLAN's internet is wide open.

I am currently using DD-WRT for this solution.  The Linux firmware does a dns lookup when the firewall script is run.  If any IP addresses have changed, they are updated at this point.  I am able to set CRON to do these updates frequently.  This solution actually works very well, but I hate to rely on Linksys routers and DD-WRT firmware which may or may not be secure depending on the build and the builder!  I would like the exact same results using Cisco IOS.

Any help or ideas would be appreciated.

Labels:
0 Helpful
1 REPLY 1
Collin Clark
Advisor
Advisor
‎01-27-2011 08:42 AM
‎01-27-2011 08:42 AM

A router really isn't designed for web filtering right out of the box. The lookup you experienced is just how it works. If you want white listing you have a couple of options:

1. IOS Content Filter

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/data_sheet_c78-458833.html

2. An ASA with CSC Module

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f.html

3. Iron Port Appliance

http://www.ironport.com/resources/datasheet_ironport_s_series.html

Each has it's own +/- so please ask if you have any questions.

Hope it helps.

0 Helpful
Latest Contents
Detecting of MAC/Probe Spoofing with AI Spoofing Detection
Created by kthiruve on 07-22-2021 08:41 AM
0
0
0
0
Overview:Pre-Requisites:AI Cloud registration:Enabling NetFlow on Cisco DNA Center and switchesAI Spoofing detection and UI interaction:Rapid Threat Containment <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.... view more
Asignacion de direccionamiento IPV6 a Host
Created by IvanEduardoHerreraSalas0045 on 07-21-2021 11:47 PM
0
0
0
0
Como parte de mi preparacion para el ENARSI he estado haciendo una serie de videos para que se me quede mas grabado todo, en el siguiente link encontraran una liga con los mecanismos de asignacion de direccion IPV6 a Hosts   https://youtube... view more
Add and Discover network devices on DNA Center
Created by Pulkit Nagpal on 07-21-2021 10:33 PM
0
0
0
0
So you have the DNA Center racked and stacked in your data centre, and you are thinking what next?   To get instant value from your DNA Center, you should next discover and add your network devices to it. In this video, we will take you through the ... view more
Community Live FAQ- Application Hosting on ISR, ASR, CSR and...
Created by Cisco Moderador on 07-21-2021 10:46 AM
0
5
0
5
Overview:Pre-Requisites:AI Cloud registration:Enabling NetFlow on Cisco DNA Center and switchesAI Spoofing detection and UI interaction:Rapid Threat Containment This event had place on Tuesday 20, July 2021 at 10hrs PDT Introduction Edge Compute is evol... view more
Community Live Video- Application Hosting on ISR, ASR, CSR a...
Created by Cisco Moderador on 07-21-2021 10:40 AM
0
0
0
0
(view in My Videos) Community Live-Application Hosting on ISR, ASR, CSR and Catalyst Routing Platforms This event had place on Tuesday 20th, July 2021 at 10:00 hrs PDT Edge Compute is evolving as a key pillar as part of next-generation Enterprise WAN Edg... view more
Content for Community-Ad