cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4191
Views
20
Helpful
19
Replies

how block url in router cisco c881 800series

Staline Satola
Level 1
Level 1

these are the settings
----------------------------------------

no ip source-route
no ip gratuitous-arps
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool LAN FAB1 DHCP
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.1.1.1 1.0.0.1
lease 7
!
!
!
no ip bootp server
ip domain name grupoterrasul.local
ip host www.facebook.com 10.10.10.10
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ173691FR
!
!
archive
log config
logging enable
object-group network obj-facebook.com
!
!
!
!
class-map match-any url-bloquear-sites
match protocol http host "*youtube*"
match protocol http host "*facebook*"
match protocol http host "*xvideos*"
match protocol http host "*torrent*"
match protocol http host "*badoo*"
match protocol http host "*porn*"
match protocol http host "*twitter*"
match protocol http host "*bittorrent*"
class-map match-all FACEBOOKBLOCK
match protocol http host "www.facebook.com"
match protocol secure-http
!
policy-map FACEBOOK.COM-POLICY
class FACEBOOKBLOCK
drop
policy-map url-bloquearsites-policy
class url-bloquear-sites
drop
!
zone security inside
zone security outside
zone security dmz
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
spanning-tree portfast
service-policy input url-bloquearsites-policy
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
description TVBACO FIBRA 20M
ip address 192.168.100.77 255.255.255.0
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto
service-policy input url-bloquearsites-policy
!
interface Vlan1
description LAN FAB1
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT_FILTERING
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
no cdp run
!

19 Replies 19

balaji.bandi
Hall of Fame
Hall of Fame

what is the issue, you have policymap ? which was not working ? what is the IOS Version.

 

here i have tested all working as expected. example :

 

class-map match-any block-sites
match protocol http host "*youtube.com*"
match protocol http host "*porn*"
!
!
policy-map rule-block
class block-sites
drop

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

-----------------------------------------------------------------------
GTSR881#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4,FTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 20-Jun-13 16:47 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

GTSR881 uptime is 3 days, 3 hours, 25 minutes
System returned to ROM by power-on
System image file is "flash:c880data-universalk9-mz.152-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: power-on

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FCZ173691FR

5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO881-K9 FCZ173691FR

 

License Information for 'c880-data'
License Level: advsecurity Type: Permanent

GTSR881#$80 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4,FTWARE (fc2)
isco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4,FTW ^ARE (fc2)

Thank you, what is the issue you having ? is the Policy map not working ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

not working, I can access blocked sites

for example, blocked www.facebook.com, but when I go to the browser I can still log on to www.facebook.com on another site that I block

what is your IP address you trying to access which was given access to facebook.com

what is other site which was blocked. ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi, Staline Satola

you can try without the dot after the star here:

*. facebook.com

 

 

Best Regards

Josiane 

Twitter : @securegirlninja

Just trying to understand the orginal post already have "match protocol http host "*facebook*" ( i believe this should be "match protocol http url *facebook*)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

match protocol http host *facebook*
ok, i´ll try

!
class-map match-all facebook
match protocol http url "*facebook*"
!
policy-map nofacebook
class facebook
drop
!
!
!
!
!
!
!
!
!
!
//port WAN
!
interface FastEthernet4
description TVBACO FIBRA 20M
ip address 192.168.100.77 255.255.255.0
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto
service-policy output nofacebook



(") enters automatically

 

did you see my definitions?

Hi @Staline Satola Staline Satola

It could split whether it worked or not, so you can test and help.
I could not understand the above comment. below.

 

Best Regards,

Josiane

did not solve