Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
jalakampradeep

URL FILTERING

Recommended Posts

Dear all,

 

 

 

I configured URL filtering policy in router and below are the config done in router.

 

 

 

My topology is R1àR2àPC

 

 

 

As per the below mentioned parameter map which I configured matches LOG option. Hence while logging in to the router R1via web browser which is connected to R2 from PC the web page displays that it is blocked due to content filtering service. My intention is that the web page should be opened and if at all I am clicking the Log option (i.e. Show diagnostics tool) than it should be blocked because my pattern map matches LOG option & also I defined in URLfilter classmap saying match url-keyword urlf-glob LOG. Where the LOG is parameter map name. Kindly let me know anything wrong in my configuration. Thanks in advance for your reply. Awaiting your response.

 

 

R2#sh running-config

Building configuration...

 

Current configuration : 2306 bytes

!

! Last configuration change at 04:54:28 UTC Fri Feb 11 2011

!

upgrade fpd auto

version 15.0

parser config cache interface

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

!

!

!

!

no ipv6 cef

!

multilink bundle-name authenticated

 

parameter-map type urlfpolicy local URLFILTER

block-page message "Dont Even Try To Go There"

parameter-map type urlf-glob LOG

pattern log

 

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

class-map type urlfilter match-any SOCIAL

match url-keyword urlf-glob LOG

class-map type inspect match-all WEB

match protocol http

!

!

policy-map type inspect urlfilter SOCIAL

parameter type urlfpolicy local URLFILTER

class type urlfilter SOCIAL

log

reset

policy-map type inspect policy-new

class type inspect WEB

inspect

service-policy urlfilter SOCIAL

class class-default

drop

!

zone security inside

zone security outside

zone-pair security IN-OUT source inside destination outside

service-policy type inspect policy-new

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

zone-member security inside

duplex auto

speed auto

!

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface Serial1/0

ip address 192.168.20.2 255.255.255.0

zone-member security outside

clock rate 64000

!

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/4

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/5

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/6

no ip address

shutdown

serial restart-delay 0

!

!

interface Serial1/7

no ip address

shutdown

serial restart-delay 0

!

!

!

!

router eigrp 10

network 192.168.10.1 0.0.0.0

network 192.168.20.2 0.0.0.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

Share this post


Link to post
Share on other sites

It's very tricky doing web content filtering from CLI; now on your issue it should block any webpage containing log keyword?

 

Either way I suggest you add in your class map an ACL containing traffic from R2 to R1 and use match not statement.

 

Also use this linkfor good practicing and experience, if possible using Cisco's CCP.

Edited by laf_c

Share this post


Link to post
Share on other sites

Hi Laf_c

 

Thanks for your reply.In my scenario which i tested using the above mentioned config it is blocking me from getting into the router R1.As per my understanding it should allow me to get into the router R1 but when i navigate to show diagonostics tool which contains LOG keyword in the URI than it should be blocked due to content filtering service but it is not happening.Plz let me know anything wrong in my config.Thanks in advance for your reply.Awaiting your response.

Share this post


Link to post
Share on other sites

Hi Laf_c

 

Thanks for your reply.In my scenario which i tested using the above mentioned config it is blocking me from getting into the router R1.As per my understanding it should allow me to get into the router R1 but when i navigate to show diagonostics tool which contains LOG keyword in the URI than it should be blocked due to content filtering service but it is not happening.Plz let me know anything wrong in my config.Thanks in advance for your reply.Awaiting your response.

 

Again, I have no XP with Cisco's Content Filtering and I don't wish to happen soon, as it's just clumsy and years behind other vendors. Just follow the doc and other sources, maybe you can figure it by yourself. Additionally use wireshark to make sure that log pattern is present.

  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×