dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3519
jeffbor
join:2012-10-04

jeffbor

Member

[Config] Cisco 1801: How to blocked specific local ip address

Hi! Please help me. I'm a new to cisco configuration and this is my first time to setup a router. I just let the CCP to configure the firewall of router and manual modify it by CLI. Now, I'm having a problem on how to block a specific of ip address to specific website like facebook or youtube. I'm not able attached an access-list to policy with the class-map type urlfilter. I cannot block also a flash on web content. Here is my config:

Router1#show running-config
Load for five secs: 9%/3%; one minute: 9%; five minutes: 9%
Time source is hardware calendar, *10:31:55.689 UTC Thu Oct 4 2012

Building configuration...

Current configuration : 24911 bytes
!
! Last configuration change at 10:26:42 UTC Thu Oct 4 2012
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 8 log
security passwords min-length 6
logging buffered 51200 warnings
logging console critical

!
aaa new-model
aaa local authentication attempts max-fail 8
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto pki trustpoint TP-self-signed-359xxx
enrollment selfsigned

!
!
crypto pki certificate chain TP-self-signed-359420xxx
certificate self-signed 01

crypto pki certificate chain test_trustpoint_config_created_for_sdm
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.101.1 192.168.101.50
ip dhcp excluded-address 192.168.250.1 192.168.250.50
ip dhcp excluded-address 192.168.1.101 192.168.1.105
!
ip dhcp pool Lan_Users
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name example.com
dns-server x.x.x.x
!
ip dhcp pool Lan_Users
import all
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
domain-name example.com
dns-server x.x.x.x
!
ip dhcp pool WLan_Users_Internet_Only
import all
network 192.168.250.0 255.255.255.0
default-router 192.168.250.1
domain-name example.com
dns-server x.x.x.x
!
!
!
ip cef
no ip bootp server
ip domain name example.com
ip name-server 8.8.8.8

ip port-map user-BigAntIM-udp port udp 6662 description port used by BigAnt Messenger
ip port-map user-BigAntIM-tcp port tcp from 6660 to 6661 description port used by BigAnt Messenger
login block-for 30 attempts 5 within 60
no ipv6 cef
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local message-blocked
alert off
block-page message "This webpage is temporary not availbale"
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]

parameter-map type urlf-glob social-sites
pattern facebook.com
pattern *.facebook.com
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob allow-other-sites
pattern *

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

password encryption aes
!
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-any dmz-to-lan-service
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls--1
match class-map dmz-to-lan-service
match access-group name permit-dmz-to-lan
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map match-any cls-internet-video
match protocol http mime "application/x-shockwave-flash"
match protocol http url "*.swf"
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any dmz-to-lan-protocols
match protocol icmp
match protocol user-BigAntIM-tcp
match protocol user-BigAntIM-udp
class-map type inspect match-all cls-dmz-to-lan-traffic
match class-map dmz-to-lan-protocols
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cls-social-sites
match server-domain urlf-glob social-sites
class-map type inspect match-any cls-dns
match protocol dns
class-map type inspect match-any ccp-h323nxg-inspect
--More-- match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type urlfilter match-any cls-allow-other-sites
match server-domain urlf-glob allow-other-sites
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any cls-https
match protocol https
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 103
match access-group 104
match access-group 105
class-map type inspect match-any cls-http
match protocol http
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any cls-audio-video
match protocol rtsp
match protocol appleqtc
match protocol realmedia
class-map type inspect match-all cls-ip-audio-video
match class-map cls-audio-video
match access-group name ip-with-audio-video-access
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect urlfilter filter-web-access
description Filtering LAN WebAccess
parameter type urlfpolicy local message-blocked
class type urlfilter cls-social-sites
log
reset
class type urlfilter cls-allow-other-sites
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-app-nonascii
log
allow
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
--More-- log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect cls-ip-audio-video
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
service-policy urlfilter filter-web-access
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
pass log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
drop log
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-policy-dmz-internet
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-protocol-p2p
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect cls-dmz-to-lan-traffic
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security dmz-zone
zone security ezvpn-zone
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect ccp-policy-dmz-internet
!
!
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 10.10.7.1 255.255.255.0
zone-member security in-zone
!
!
interface Null0
no ip unreachables
!
interface ATM0
description $FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
shutdown
no atm ilmi-keepalive

!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
!
interface FastEthernet0
description WAN Interface$FW_OUTSIDE$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
!
!
interface FastEthernet1
description Vlan 100 Lan Users
switchport access vlan 100
!
!
interface FastEthernet2
description Vlan 100 Lan Users
switchport access vlan 100
!
!
interface FastEthernet3
description Vlan 102 WLan User with Internet Only
switchport access vlan 102
!
!
interface FastEthernet4
description Vlan 102 WLan User with Internet Only
switchport access vlan 102
!
!
interface FastEthernet5
description Vlan 101 WLan Users
switchport access vlan 101
!
!
interface FastEthernet6
description Vlan 101 WLan Users
switchport access vlan 101
!
!
interface FastEthernet7
description Trunk Ports
switchport trunk native vlan 200
switchport mode trunk
duplex full
speed 100
!
!
interface FastEthernet8
description Trunk Ports
switchport trunk native vlan 200
switchport mode trunk
duplex full
speed 100
!
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan100
description Gateway of Lan_Users$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan101
description Gateway of Lan_Users$FW_INSIDE$
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan102
description Gateway of Wireless Users with Internet Only$FW_INSIDE$
ip address 192.168.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan200
description Management$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan300
description Gateway of DMZ$FW_DMZ$
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
shutdown
dialer pool 1
no cdp enable
!
!
ip local pool vpn_pool 10.10.6.101 10.10.6.110
no ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source static tcp 192.168.200.51 80 interface FastEthernet0 80
ip nat inside source list 1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
ip access-list standard ip-with-audio-video-access
deny 192.168.1.100
permit any
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.200.51
ip access-list extended dmznotoeGaps
deny ip host 192.168.200.51 host 192.168.1.100 log
deny ip host 192.168.1.100 host 192.168.200.51 log
permit ip any any
ip access-list extended permit-dmz-to-lan
remark CCP_ACL Category=128
permit ip host 192.168.200.51 192.168.1.0 0.0.0.255
!
access-list 1 remark Allow on NAT
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.6.0 0.0.0.255
access-list 2 permit 192.168.1.105
access-list 2 permit 192.168.1.104
access-list 2 permit 10.10.6.5
access-list 2 permit 192.168.1.101
access-list 2 remark Allow to remote Cisco1801
access-list 2 permit 192.168.1.100
access-list 2 permit 192.168.1.103
access-list 2 permit 192.168.1.102
access-list 2 permit 10.10.6.102
access-list 2 permit 10.10.6.103
access-list 2 permit 10.10.6.101
access-list 2 permit 10.10.6.106
access-list 2 permit 10.10.6.104
access-list 2 permit 192.168.200.51
access-list 100 remark DMZandServerOfeGapsHasNoCommunication
access-list 100 deny ip host 192.168.1.100 host 192.168.200.51 log
access-list 100 deny ip host 192.168.200.51 host 192.168.1.100 log
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 125.212.93.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
no cdp run

!
!
!
!
!
!
control-plane
!
!
!
!
scheduler allocate 4000 1000
scheduler interval 500
end

Router1#
aryoba
MVM
join:2002-08-22

aryoba

MVM

Re: [Config] Cisco 1801: How to blocked specific local ip addres

Ideally you need to use web content filter appliance that authenticate against credential on Windows DC or some RADIUS server.
jeffbor
join:2012-10-04

jeffbor

Member

Is there any other way to blocked specific Lan ip to specific website other than credential on Windows DC or some RADIUS server?
jeffbor

jeffbor to aryoba

Member

to aryoba
Is there any other way to blocked specific Lan ip to specific website other than credential on Windows DC or some RADIUS server?
aryoba
MVM
join:2002-08-22

aryoba

MVM

There are other solutions such as block by IP using ACL however it is not a long-term solution and may be unreliable.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to jeffbor

MVM

to jeffbor
As aryoba noted, blocking urls by IP address is hit and miss, and with sites big as facebook or youtube, likely
more a miss than hit.

If this is for an enterprise, GET THE RIGHT TOOL FOR THE RIGHT JOB! That can't be stressed enough.

If this is for home, or if you just want to do some learning, try this faq entry -- »Cisco Forum FAQ »Internet access restriction without a proxy server/websense solution?

Regards
mbruno
join:2003-07-03
Salisbury, MD

mbruno

Member

HellFire --- you are assuming that the company will handover the $$$ to do this. I know where I work it is like pulling freaking teeth at times. You can talk until you are blue in the face and try to explain to them why this is the wright way of doing something and not the cheap poor way that is half a$$.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@mbruno
My job description is Layer 1 to 4 troubleshooting, Layers 5 to 7 is NOT my forte, and Layers 8 to 11 I leave to my boss(es)

But I'm no stranger to the "cheap, fast, perfect, AND ready by yesterday" mentality either. It's caused a loss of
at least 5 years of my life expectancy, of which HR has indicated there's no way they're gonna pay for that under
OverTime or Medical. Bastards!

Regards
69484123 (banned)
join:2012-10-22
Sterling, VA

69484123 (banned) to aryoba

Member

to aryoba
I agree with you. he should use better web content filter....

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid to jeffbor

Member

to jeffbor
you can setup WCCP, download either nginx or squid which are both free proxy servers.

1. set up the router to redirect ALL web traffic to squid/nginx IP.
2. set up proxy server to block what the boss says...
3. go have a Johnny Walker.
jeffbor
join:2012-10-04

jeffbor

Member

Hi!..thanks for the suggestion. What I've done is to combine the Zone Based firewall with CBAC to block specific www to specific users because we can't afford to have another server. I don't know if this good but it is working. I don't know if this could pass the best practice in combining them. We have just change our ISP and now we are PPPoE client. The router is behind a modem that is in bridging mode.
Could somebody suggest if my configuration is needed be change for a best configuration? Is the configuration for my dialer and the Port Fa0 connecting to the modem is correct? I want also block a flash and ads on web..but I can't make it. Thanks!

Here is my new configuration:

ISP------modem(rj45)------utp_cable------(rj45)Router------LAN

Router1#show running-config
Load for five secs: 13%/4%; one minute: 12%; five minutes: 9%
Time source is hardware calendar, *13:22:15.094 UTC Thu Oct 18 2012

Building configuration...

Current configuration : 28182 bytes
!
!
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 8 log
security passwords min-length 6
logging buffered 4096

!
aaa new-model
aaa local authentication attempts max-fail 8
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed-3594207468
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01

quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.101.1 192.168.101.50
ip dhcp excluded-address 192.168.250.1 192.168.250.50
ip dhcp excluded-address 192.168.1.101 192.168.1.105
ip dhcp excluded-address 192.168.2.1 192.168.2.51
!
ip dhcp pool Lan_Users
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.10
domain-name domain.com
dns-server 8.8.8.8
!
ip dhcp pool WLan_Users
import all
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
domain-name domain.com
dns-server 192.168.101.1
!
ip dhcp pool WLan_Users_Internet_Only
import all
network 192.168.250.0 255.255.255.0
default-router 192.168.250.1
domain-name domain.com
dns-server 192.168.250.1
!
ip dhcp pool user1
host 192.168.1.105 255.255.255.0
client-identifier 0017.c4dd.5f18
!
ip dhcp pool IT_Users
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1
domain-name domain.com
!
!
ip cef
no ip bootp server
ip domain name bdomain.com
ip host SP_SERVER 192.168.1.100
ip name-server 8.8.8.8
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip port-map user-Netsupport port tcp 5405 description Allow Netsupport from DMZ to LAN
ip port-map user-Procontrol port tcp from 12301 to 12310 description Ports use by eGaps
ip port-map user-BigAntIM-udp port udp 6662 description port used by BigAnt Messenger
ip port-map user-BigAntIM-tcp port tcp from 6660 to 6661 description port used by BigAnt Messenger
login block-for 30 attempts 5 within 60
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol l2tp
source-ip 192.168.1.1
!

parameter-map type urlfpolicy local message-blocked
alert off
block-page message "This webpage is temporary not available"
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]

parameter-map type urlf-glob social-sites
pattern *.sex.com

parameter-map type urlf-glob allow-other-sites
pattern *

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

password encryption aes
!
!
license udi pid CISCO1801/K9 sn FGL163320RX
username xxxx password xxxxxx
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-any dmz-to-lan-service
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls--1
match class-map dmz-to-lan-service
match access-group name permit-dmz-to-lan
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map match-any cls-internet-video
match protocol http mime "application/x-shockwave-flash"
match protocol http url "*.swf"
match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4alatm"
match protocol http url "*.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov"
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any dmz-to-lan-protocols
match protocol icmp
match protocol user-BigAntIM-tcp
match protocol user-BigAntIM-udp
match protocol user-Netsupport
class-map type inspect match-all cls-dmz-to-lan-traffic
match class-map dmz-to-lan-protocols
match access-group name Lan-toDMZ
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cls-social-sites
match server-domain urlf-glob social-sites
class-map type inspect match-any cls-dns
match protocol dns
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any eGaps-services
match protocol user-Procontrol
match protocol tcp
class-map type inspect match-all cls-eGaps-services
match class-map eGaps-services
match access-group name eGaps-to-DMZ
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type urlfilter match-any cls-allow-other-sites
match server-domain urlf-glob allow-other-sites
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any cls-https
match protocol https
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 103
match access-group 104
match access-group 105
class-map type inspect match-any cls-http
match protocol http
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any cls-unrestrictedip
match access-group name unrestrictedip
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map match-any social-web-access
match protocol http host "fb.com"
class-map match-all cls-denysocialnetworksschedule
match access-group name denysocialnetworksschedule
match class-map social-web-access
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
--More-- match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map drop-social-web-access-&-net-vid-flash
class cls-unrestrictedip
class cls-denysocialnetworksschedule
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect ccp-permit-dmzservice-lan
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect cls-dmz-to-lan-traffic
inspect
class type inspect cls-eGaps-services
inspect
class class-default
drop
policy-map type inspect urlfilter filter-web-access
description Filtering LAN WebAccess
parameter type urlfpolicy local message-blocked
class type urlfilter cls-social-sites
log
reset
class type urlfilter cls-allow-other-sites
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-app-nonascii
log
allow
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
service-policy urlfilter filter-web-access
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
pass log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
drop log
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-policy-dmz-internet
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-protocol-p2p
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect cls-dmz-to-lan-traffic
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security dmz-zone
zone security ezvpn-zone
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice-lan
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect ccp-policy-dmz-internet
zone-pair security dmz-in source dmz-zone destination in-zone
service-policy type inspect ccp-permit-dmzservice-lan
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 10800
!
crypto isakmp client configuration group vpngrp
key password
dns 8.8.8.8
pool vpn_pool
acl 101
max-users 5
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpngrp
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set transformset esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 300
set transform-set transformset
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 10.10.7.1 255.255.255.0
zone-member security in-zone
!
!
interface Null0
no ip unreachables
!
interface ATM0
description $FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
shutdown
no atm ilmi-keepalive
!
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
!
interface FastEthernet0
description WAN Interface$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip virtual-reassembly
zone-member security out-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface FastEthernet1
description Vlan 100 Lan Users
switchport access vlan 100
!
!
interface FastEthernet2
description Vlan 100 Lan Users
switchport access vlan 100
!
!
interface FastEthernet3
description Vlan 102 WLan User with Internet Only
switchport access vlan 102
!
!
interface FastEthernet4
description Vlan 102 WLan User with Internet Only
switchport access vlan 102
!
!
interface FastEthernet5
description Vlan 101 WLan Users
switchport access vlan 101
!
!
interface FastEthernet6
description Vlan 101 WLan Users
switchport access vlan 101
!
!
interface FastEthernet7
description Trunk Ports
switchport trunk native vlan 200
switchport mode trunk
duplex full
speed 100
!
!
interface FastEthernet8
description Trunk Ports
switchport trunk native vlan 200
switchport mode trunk
duplex full
speed 100
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan100
description Gateway of LAN_Users$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan101
description Gateway of WLAN_Users$FW_INSIDE$
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan102
description Gateway of Wireless Users with Internet Only$FW_INSIDE$
ip address 192.168.250.1 255.255.255.0
ip access-group 150 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan120
description Gateway of Users of ISP2 (IT)
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan200
description Management$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan300
description Gateway of DMZ$FW_DMZ$
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
!
interface Dialer0
no ip address
no cdp enable
!
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1410
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
no cdp enable
!
!
ip local pool vpn_pool 10.10.6.101 10.10.6.110
no ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.200.51 80 xxx.xxx.xxx.xxx 80 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 10.10.6.1
!
ip access-list standard unrestrictedip
permit 192.168.1.100
permit 192.168.1.60
!
ip access-list extended Lan-toDMZ
remark CCP_ACL Category=128
permit ip 192.168.1.0 0.0.0.255 host 192.168.200.51
permit ip 192.168.101.0 0.0.0.255 host 192.168.200.51
permit ip 192.168.250.0 0.0.0.255 host 192.168.200.51
permit ip 10.10.6.0 0.0.0.255 host 192.168.200.51
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended denysocialnetworksschedule
permit ip any any time-range no-social-sites
permit ip any any time-range no-social-sites-2
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.200.51
ip access-list extended dmznotoeGaps
deny ip host 192.168.200.51 host 192.168.1.100 log
deny ip host 192.168.1.100 host 192.168.200.51 log
permit ip any any
ip access-list extended eGaps-to-DMZ
remark Allow DMZ to access eGaps
permit ip host 192.168.1.100 host 192.168.200.51
permit ip host 192.168.200.51 host 192.168.1.100
ip access-list extended no-cisco
deny tcp any host 96.16.224.170 eq www
permit ip any any
ip access-list extended permit-dmz-to-lan
remark CCP_ACL Category=128
permit ip host 192.168.200.51 192.168.1.0 0.0.0.255
!
access-list 1 remark Allow to NAT on ISP1(BAYANTEL)
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 permit 192.168.1.105
access-list 2 permit 192.168.1.104
access-list 2 permit 10.10.10.2
access-list 2 permit 192.168.1.101
access-list 2 remark Allow to remote Cisco1801
access-list 2 permit 192.168.1.100
access-list 2 permit 192.168.1.103
access-list 2 permit 192.168.1.102
access-list 2 permit 10.10.6.102
access-list 2 permit 10.10.6.103
access-list 2 permit 10.10.6.101
access-list 2 permit 10.10.6.106
access-list 2 permit 10.10.6.104
access-list 2 permit 10.10.6.105
access-list 2 permit 10.10.6.0 0.0.0.255
access-list 20 remark Allow to NAT on ISP2(PLDT)
access-list 20 permit 192.160.2.0 0.0.0.255
access-list 20 permit 192.160.200.0 0.0.0.255
access-list 100 remark DMZandServerOfeGapsHasNoCommunication
access-list 100 deny ip host 192.168.1.100 host 192.168.200.51 log
access-list 100 deny ip host 192.168.200.51 host 192.168.1.100 log
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 125.212.93.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
access-list 150 remark no-cisco
access-list 150 remark DenyInternetUsersToeGaps
access-list 150 deny ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 150 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 5 0
logging synchronous
exec prompt timestamp
length 5
transport input ssh
line vty 5 15
access-class 2 in
exec-timeout 5 0
logging synchronous
exec prompt timestamp
length 5
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
time-range no-social-sites
periodic weekdays 8:00 to 11:55
!
time-range no-social-sites-2
periodic weekdays 13:00 to 17:00
!
end

HELLFIRE
MVM
join:2009-11-25

HELLFIRE to jeffbor

MVM

to jeffbor
said by jeffbor:

I don't know if this good but it is working.

If it works, then that's good enough short of using the previously given suggestions.
said by jeffbor:

I want also block a flash and ads on web..but I can't make it.

Cheaper / Easier way to block ads is via the endhosts' host file, honestly.

Just my 00000010bits.

Regards