Okay thanks. That is what I thought.

Sorry I read it too fast, I thought it was a PIX. I never tried it with IOS.

Hello,

You can use the IOS f/w URL filtering without using the Websense server.I would like to check the IOS configuration done on the router.

Please paste the router configuration.

HTH,

-amit singh

Hi folks. I didn't know this thread was still active but I did find the answer to my solution through a friend by using the urlfilter exclusive domain....etc. command. Thanks to everyoen for their help.

hello, can you post your solution to filter URLs please?

---- actually we have only the basics configured by SDM and some by CLI

ip name-server <>

ip name-server <>

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW http

ip ips sdf location flash://128MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

!

interface GigabitEthernet0/0

ip address 10.1.1.5 255.255.252.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0:1

ip address <>

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip ips sdm_ips_rule out

ip virtual-reassembly

ip route-cache flow

load-interval 30

no fair-queue

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:1

!

!

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 deny any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark Auto generated by SDM for NTP (123) 131.107.1.10

access-list 100 permit udp host 131.107.1.10 eq ntp host 10.1.1.5 eq ntp

access-list 100 remark Auto generated by SDM for NTP (123) 192.43.244.18

access-list 100 permit udp host 192.43.244.18 eq ntp host 10.1.1.5 eq ntp

access-list 100 deny ip <> any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host <>

access-list 101 permit tcp any host <>

access-list 101 permit udp any host <>

access-list 101 permit tcp any host <>

access-list 101 permit udp host <> eq domain host <>

access-list 101 permit udp host <> eq domain host <>

access-list 101 remark Auto generated by SDM for NTP (123) 131.107.1.10

access-list 101 permit udp host 131.107.1.10 eq ntp host <> eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) 192.43.244.18

access-list 101 permit udp host 192.43.244.18 eq ntp host <> eq ntp

access-list 101 deny ip 10.1.0.0 0.0.3.255 any

access-list 101 permit icmp any host <> echo-reply

access-list 101 permit icmp any host <> time-exceeded

access-list 101 permit icmp any host <> unreachable

access-list 101 permit tcp any host <> eq 443

access-list 101 permit tcp any host <> eq 22

access-list 101 permit tcp any host <> eq cmd

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

no cdp run

!

!

ntp clock-period 17180301

ntp update-calendar

ntp server 192.43.244.18 prefer

ntp server 131.107.1.10

!

end

---------------------------------------

i try the command

ip urlfilter exclusive-domain deny www.hotmail.com

(that was added by SDM using "url filter") but SDM blocked all pages.

thanks beforehand

Juan Manuel Garcia

i finally found out,

first i need to activate the command:

ip urlfilter allow-mode on

to inspect the url even without a websense server

and then the command:

ip urlfilter source-interface eth0/0

to apply the filtering i guess

and finally the commands:

ip urlfilter exclusive-domain deny .danger.com

the dot in the first indicates any webpage in that domain, and you just need to specify the deny?s than the permits because the allow-mode on command permit everything but the specified urls

thanks everybody for the posts

anyone know if theres a performance issue filtering url this way?

Juan Manuel Garcia Reyes

Hi Brider,

this is working configuration which i use in myu organization to block the google chat & meebo.com site. i am using this for the past 4 monthz without any problme on my Cisco 1751.

ip inspect alert-off

ip inspect name URL_FILTER http java-list 2 urlfilter

ip urlfilter allow-mode on

ip urlfilter cache 5

ip urlfilter exclusive-domain deny chatenabled.mail.google.com

ip urlfilter exclusive-domain deny .meebo.com

ip audit notify log

ip audit po max-events 100

!

!

!

!

interface FastEthernet0/0

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip inspect URL_FILTER in

speed auto

!

access-list 2 permit any

the above config will block the sites what i hav listed & rest all are allowed, bcoz "ip urlfilter allow-mode on" command is mentioned, if this is not mentioned, then it blocks the entire internet traffic. so make sure that ur issuing this command.

i hope this helps.

rate this post if satisfied.

Can you do this on an ASA 5505??

YES URL filtering can be configured even on ASA also.

How?