geico
join:2006-05-02
Elkhart, IN
| How to Configure Internet Access restrictions ?
I want my users to surf only restricted web sites . I dont want to use access list to restrict access based on the IP address of the Web sites.
So i thought i can experiment a bit about using policy maps and traffic marking on DSCP bits. Right now, i am pulling out my hair try to figure out what i am doing wrong (maybe its the concept that is wrong). For an example i want my users to only browse www.in.gov and all other traffic should not be NAT translated, but right now no users behind the router can get on to www.in.gov (or any other web site).
Here is my config , your comments and help are appriciated.
Current configuration : 1975 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 informational
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 207.x.x.x
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
class-map match-any http-allow
match protocol http host "www.in.gov"
!
!
policy-map mark-inbound-http
class http-allow
set ip dscp 1
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description Interface to DSL Modem
ip address 10.100.1.105 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description LAN
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
service-policy input mark-inbound-http
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any dscp 1
no cdp run
!
!
control-plane
!
banner login ^C
Authorized Users Only !!!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password 7 0005170B0D55
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end |
|
aryoba
Premium,MVM
join:2002-08-22 | Is there a reason why you don't want to use an ACL to restrict?
I see that the in.gov is in 157.91.0.0/16 network. Therefore using ACL you could just permit access only to that network and deny others. |
|
geico
join:2006-05-02
Elkhart, IN | There are about 25 web sites we want the users to access and have to consider the possibility of IP address change at those web hosts.
Do you find anything i should not have done on the config ? |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
May 2nd, @10:51PM
| When considering IP address changes, you should then permit the entire network owned by the sites as I recommended previously, and not just permit one or two IP addresses. |
|
RyanG1
Premium
join:2002-02-10
San Antonio, TX
clubs:  
| reply to geico
or why not run a proxy server and use a filter like dansguardian, assuming of course you can get the router to redirect all web queries out to the proxy server.
Ryan
--
Oh I wish i was an oscar meyer wiener, then everyone would be in love with me.... |
|
geico
join:2006-05-02
Elkhart, IN | reply to geico
Ok, Maybe its stupid to try thisway. But anybody knows if i can restrict Internet access this way ? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Depends on whether your router supports CBAC but there might be a quick and dirty way of doing this:
You can use the command:
ip inspect name outgoingipinspect http urlfilter audit-trail off
ip inspect name outgoingipinspect http java-list 10
ip urlfilter exclusive-domain permit www.in.gov
with ACL 10 permiting everything for the Java applets.
access-list 10 permit any
You might need to add the command:
ip urlfilter allow-mode off
but can't be sure off the top of my head.
You will need to apply the ip inspect in the direction of the outgoing packets (LAN interface IN / WAN interface OUT).
I haven't tested this so you are the guinea pig in this case so let us know how you get on. You might want to play with the allow-mode option.
It is better to go with a proxy or even web-sense solution if your hardware supports it in the long run.
--
If only my employers can see how much effort I put into the Cisco forum. They would then understand why I sleep at my desk.  |
|
geico
join:2006-05-02
Elkhart, IN
| Man, thats pretty cool. All i needed was
ip inspect name test-filter http urlfilter audit-trail off
ip urlfilter exclusive-domain permit www.google.com
ip urlfilter exclusive-domain permit www.in.gov
interface FastEthernet4
description Interface to DSL Modem
ip inspect test-filter out
and ready to go (rather ready to block).
and i had to turn off the allow mode
ip urlfilter allow-mode off
Thanks again. |
|
Covenant
Premium,MVM
join:2003-07-01
England | Thanks for the feedback. Glad it worked, a possible FAQ is in the pipe here.  |
|
