|
[Config] Cisco 1801: How to blocked specific local ip addressHi! Please help me. I'm a new to cisco configuration and this is my first time to setup a router. I just let the CCP to configure the firewall of router and manual modify it by CLI. Now, I'm having a problem on how to block a specific of ip address to specific website like facebook or youtube. I'm not able attached an access-list to policy with the class-map type urlfilter. I cannot block also a flash on web content. Here is my config:
Router1#show running-config Load for five secs: 9%/3%; one minute: 9%; five minutes: 9% Time source is hardware calendar, *10:31:55.689 UTC Thu Oct 4 2012
Building configuration...
Current configuration : 24911 bytes ! ! Last configuration change at 10:26:42 UTC Thu Oct 4 2012 ! version 15.0 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router1 ! boot-start-marker boot-end-marker ! security authentication failure rate 8 log security passwords min-length 6 logging buffered 51200 warnings logging console critical
! aaa new-model aaa local authentication attempts max-fail 8 ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! ! ! crypto pki trustpoint TP-self-signed-359xxx enrollment selfsigned
! ! crypto pki certificate chain TP-self-signed-359420xxx certificate self-signed 01
crypto pki certificate chain test_trustpoint_config_created_for_sdm dot11 syslog no ip source-route ! ! ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 192.168.1.100 ip dhcp excluded-address 192.168.1.1 192.168.1.50 ip dhcp excluded-address 192.168.101.1 192.168.101.50 ip dhcp excluded-address 192.168.250.1 192.168.250.50 ip dhcp excluded-address 192.168.1.101 192.168.1.105 ! ip dhcp pool Lan_Users import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name example.com dns-server x.x.x.x ! ip dhcp pool Lan_Users import all network 192.168.101.0 255.255.255.0 default-router 192.168.101.1 domain-name example.com dns-server x.x.x.x ! ip dhcp pool WLan_Users_Internet_Only import all network 192.168.250.0 255.255.255.0 default-router 192.168.250.1 domain-name example.com dns-server x.x.x.x ! ! ! ip cef no ip bootp server ip domain name example.com ip name-server 8.8.8.8
ip port-map user-BigAntIM-udp port udp 6662 description port used by BigAnt Messenger ip port-map user-BigAntIM-tcp port tcp from 6660 to 6661 description port used by BigAnt Messenger login block-for 30 attempts 5 within 60 no ipv6 cef ! multilink bundle-name authenticated !
parameter-map type urlfpolicy local message-blocked alert off block-page message "This webpage is temporary not availbale" parameter-map type regex ccp-regex-nonascii pattern [^\x00-\x80]
parameter-map type urlf-glob social-sites pattern facebook.com pattern *.facebook.com pattern youtube.com pattern *.youtube.com
parameter-map type urlf-glob allow-other-sites pattern *
parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com
parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com
password encryption aes ! ! ! ip tcp synwait-time 10 ip ssh version 2 ! class-map type inspect match-any SDM_BOOTPC match access-group name SDM_BOOTPC class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-any ccp-cls-protocol-p2p match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature class-map type inspect match-all sdm-nat-http-1 match access-group name dmz-traffic match protocol http class-map type inspect match-any SDM_DHCP_CLIENT_PT match class-map SDM_BOOTPC class-map type inspect smtp match-any ccp-app-smtp match data-length gt 5000000 class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any ccp-skinny-inspect match protocol skinny class-map type inspect http match-any ccp-app-nonascii match req-resp header regex ccp-regex-nonascii class-map type inspect match-any ccp-cls-insp-traffic match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp class-map type inspect match-any dmz-to-lan-service match class-map ccp-cls-insp-traffic class-map type inspect match-all ccp-cls--1 match class-map dmz-to-lan-service match access-group name permit-dmz-to-lan class-map type inspect match-any sdm-cls-bootps match protocol bootps class-map match-any cls-internet-video match protocol http mime "application/x-shockwave-flash" match protocol http url "*.swf" class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any dmz-to-lan-protocols match protocol icmp match protocol user-BigAntIM-tcp match protocol user-BigAntIM-udp class-map type inspect match-all cls-dmz-to-lan-traffic match class-map dmz-to-lan-protocols class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type urlfilter match-any cls-social-sites match server-domain urlf-glob social-sites class-map type inspect match-any cls-dns match protocol dns class-map type inspect match-any ccp-h323nxg-inspect --More-- match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type urlfilter match-any cls-allow-other-sites match server-domain urlf-glob allow-other-sites class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect match-any cls-https match protocol https class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT match access-group 103 match access-group 104 match access-group 105 class-map type inspect match-any cls-http match protocol http class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map type inspect match-any cls-audio-video match protocol rtsp match protocol appleqtc match protocol realmedia class-map type inspect match-all cls-ip-audio-video match class-map cls-audio-video match access-group name ip-with-audio-video-access class-map type inspect match-all ccp-protocol-p2p match class-map ccp-cls-protocol-p2p class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-invalid-src match access-group 102 class-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method post match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect match-any ccp-dmz-protocols match protocol http class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-all ccp-dmz-traffic match access-group name dmz-traffic match class-map ccp-dmz-protocols class-map type inspect http match-any ccp-http-blockparam match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect match-all ccp-protocol-smtp match protocol smtp class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect sdm-cls-bootps pass class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1 inspect class class-default drop policy-map type inspect urlfilter filter-web-access description Filtering LAN WebAccess parameter type urlfpolicy local message-blocked class type urlfilter cls-social-sites log reset class type urlfilter cls-allow-other-sites allow policy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log allow class type inspect http ccp-app-httpmethods log allow class type inspect http ccp-app-nonascii log allow policy-map type inspect smtp ccp-action-smtp class type inspect smtp ccp-app-smtp reset policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap --More-- log reset policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log reset policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect cls-ip-audio-video drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http service-policy urlfilter filter-web-access class type inspect ccp-protocol-smtp inspect service-policy smtp ccp-action-smtp class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-p2p drop log class type inspect ccp-protocol-im pass log class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect drop log class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop policy-map type inspect ccp-policy-dmz-internet class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-im drop log class type inspect ccp-insp-traffic inspect class type inspect ccp-protocol-p2p drop log class class-default drop policy-map type inspect ccp-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect SDM_DHCP_CLIENT_PT pass class type inspect SDM_EASY_VPN_CTCP_SERVER_PT inspect class class-default drop policy-map type inspect ccp-policy-ccp-cls--1 class class-default drop policy-map type inspect ccp-permit-dmzservice class type inspect ccp-dmz-traffic inspect class type inspect sdm-nat-http-1 inspect class type inspect cls-dmz-to-lan-traffic inspect class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log ! zone security dmz-zone zone security ezvpn-zone zone security in-zone zone security out-zone zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone service-policy type inspect ccp-policy-dmz-internet ! ! ! ! ! ! ! interface Loopback0 description $FW_INSIDE$ ip address 10.10.7.1 255.255.255.0 zone-member security in-zone ! ! interface Null0 no ip unreachables ! interface ATM0 description $FW_OUTSIDE$ ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly shutdown no atm ilmi-keepalive
! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress encapsulation hdlc shutdown ! ! interface FastEthernet0 description WAN Interface$FW_OUTSIDE$ ip address x.x.x.x 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto no cdp enable ! ! interface FastEthernet1 description Vlan 100 Lan Users switchport access vlan 100 ! ! interface FastEthernet2 description Vlan 100 Lan Users switchport access vlan 100 ! ! interface FastEthernet3 description Vlan 102 WLan User with Internet Only switchport access vlan 102 ! ! interface FastEthernet4 description Vlan 102 WLan User with Internet Only switchport access vlan 102 ! ! interface FastEthernet5 description Vlan 101 WLan Users switchport access vlan 101 ! ! interface FastEthernet6 description Vlan 101 WLan Users switchport access vlan 101 ! ! interface FastEthernet7 description Trunk Ports switchport trunk native vlan 200 switchport mode trunk duplex full speed 100 ! ! interface FastEthernet8 description Trunk Ports switchport trunk native vlan 200 switchport mode trunk duplex full speed 100 ! ! ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip tcp adjust-mss 1452 ! ! interface Vlan100 description Gateway of Lan_Users$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan101 description Gateway of Lan_Users$FW_INSIDE$ ip address 192.168.101.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan102 description Gateway of Wireless Users with Internet Only$FW_INSIDE$ ip address 192.168.250.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan200 description Management$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan300 description Gateway of DMZ$FW_DMZ$ ip address 192.168.200.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security dmz-zone ! ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip flow ingress ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 shutdown dialer pool 1 no cdp enable ! ! ip local pool vpn_pool 10.10.6.101 10.10.6.110 no ip forward-protocol nd no ip http server ip http access-class 2 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip dns server ip nat inside source static tcp 192.168.200.51 80 interface FastEthernet0 80 ip nat inside source list 1 interface FastEthernet0 overload ip route 0.0.0.0 0.0.0.0 FastEthernet0 ! ip access-list standard ip-with-audio-video-access deny 192.168.1.100 permit any ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_BOOTPC remark CCP_ACL Category=0 permit udp any any eq bootpc ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark CCP_ACL Category=1 permit ip any any ip access-list extended dmz-traffic remark CCP_ACL Category=1 permit ip any host 192.168.200.51 ip access-list extended dmznotoeGaps deny ip host 192.168.200.51 host 192.168.1.100 log deny ip host 192.168.1.100 host 192.168.200.51 log permit ip any any ip access-list extended permit-dmz-to-lan remark CCP_ACL Category=128 permit ip host 192.168.200.51 192.168.1.0 0.0.0.255 ! access-list 1 remark Allow on NAT access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.101.0 0.0.0.255 access-list 1 permit 192.168.250.0 0.0.0.255 access-list 1 permit 192.168.200.0 0.0.0.255 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 permit 10.10.6.0 0.0.0.255 access-list 2 permit 192.168.1.105 access-list 2 permit 192.168.1.104 access-list 2 permit 10.10.6.5 access-list 2 permit 192.168.1.101 access-list 2 remark Allow to remote Cisco1801 access-list 2 permit 192.168.1.100 access-list 2 permit 192.168.1.103 access-list 2 permit 192.168.1.102 access-list 2 permit 10.10.6.102 access-list 2 permit 10.10.6.103 access-list 2 permit 10.10.6.101 access-list 2 permit 10.10.6.106 access-list 2 permit 10.10.6.104 access-list 2 permit 192.168.200.51 access-list 100 remark DMZandServerOfeGapsHasNoCommunication access-list 100 deny ip host 192.168.1.100 host 192.168.200.51 log access-list 100 deny ip host 192.168.200.51 host 192.168.1.100 log access-list 100 permit ip any any access-list 101 remark CCP_ACL Category=4 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.101.0 0.0.0.255 any access-list 101 permit ip 192.168.200.0 0.0.0.255 any access-list 101 permit ip 192.168.250.0 0.0.0.255 any access-list 102 remark CCP_ACL Category=128 access-list 102 permit ip host 255.255.255.255 any access-list 102 permit ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip 125.212.93.0 0.0.0.255 any access-list 102 permit ip 192.168.200.0 0.0.0.255 any access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp any any eq 10000 access-list 104 remark CCP_ACL Category=1 access-list 104 permit tcp any any eq 10000 access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp any any eq 10000 no cdp run
! ! ! ! ! ! control-plane ! ! ! ! scheduler allocate 4000 1000 scheduler interval 500 end
Router1# |
|
|
Re: [Config] Cisco 1801: How to blocked specific local ip addresIdeally you need to use web content filter appliance that authenticate against credential on Windows DC or some RADIUS server. |
|
|
Is there any other way to blocked specific Lan ip to specific website other than credential on Windows DC or some RADIUS server? |
|
jeffbor |
to aryoba
Is there any other way to blocked specific Lan ip to specific website other than credential on Windows DC or some RADIUS server? |
|
|
aryoba
MVM
2012-Oct-5 10:52 am
There are other solutions such as block by IP using ACL however it is not a long-term solution and may be unreliable. |
|
|
to jeffbor
As aryoba noted, blocking urls by IP address is hit and miss, and with sites big as facebook or youtube, likely more a miss than hit. If this is for an enterprise, GET THE RIGHT TOOL FOR THE RIGHT JOB! That can't be stressed enough. If this is for home, or if you just want to do some learning, try this faq entry -- » Cisco Forum FAQ » Internet access restriction without a proxy server/websense solution?Regards |
|
mbruno join:2003-07-03 Salisbury, MD |
mbruno
Member
2012-Oct-5 12:03 pm
HellFire --- you are assuming that the company will handover the $$$ to do this. I know where I work it is like pulling freaking teeth at times. You can talk until you are blue in the face and try to explain to them why this is the wright way of doing something and not the cheap poor way that is half a$$. |
|
|
@mbruno My job description is Layer 1 to 4 troubleshooting, Layers 5 to 7 is NOT my forte, and Layers 8 to 11 I leave to my boss(es) But I'm no stranger to the "cheap, fast, perfect, AND ready by yesterday" mentality either. It's caused a loss of at least 5 years of my life expectancy, of which HR has indicated there's no way they're gonna pay for that under OverTime or Medical. Bastards! Regards |
|
69484123 (banned) join:2012-10-22 Sterling, VA |
to aryoba
I agree with you. he should use better web content filter.... |
|
|
to jeffbor
you can setup WCCP, download either nginx or squid which are both free proxy servers.
1. set up the router to redirect ALL web traffic to squid/nginx IP. 2. set up proxy server to block what the boss says... 3. go have a Johnny Walker. |
|
|
Hi!..thanks for the suggestion. What I've done is to combine the Zone Based firewall with CBAC to block specific www to specific users because we can't afford to have another server. I don't know if this good but it is working. I don't know if this could pass the best practice in combining them. We have just change our ISP and now we are PPPoE client. The router is behind a modem that is in bridging mode. Could somebody suggest if my configuration is needed be change for a best configuration? Is the configuration for my dialer and the Port Fa0 connecting to the modem is correct? I want also block a flash and ads on web..but I can't make it. Thanks!
Here is my new configuration:
ISP------modem(rj45)------utp_cable------(rj45)Router------LAN
Router1#show running-config Load for five secs: 13%/4%; one minute: 12%; five minutes: 9% Time source is hardware calendar, *13:22:15.094 UTC Thu Oct 18 2012
Building configuration...
Current configuration : 28182 bytes ! ! ! version 15.0 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router1 ! boot-start-marker boot-end-marker ! security authentication failure rate 8 log security passwords min-length 6 logging buffered 4096
! aaa new-model aaa local authentication attempts max-fail 8 ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! ! ! crypto pki trustpoint TP-self-signed enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate revocation-check none rsakeypair TP-self-signed-3594207468 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! ! crypto pki certificate chain TP-self-signed certificate self-signed 01
quit crypto pki certificate chain test_trustpoint_config_created_for_sdm dot11 syslog no ip source-route ! ! ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 192.168.1.100 ip dhcp excluded-address 192.168.1.1 192.168.1.50 ip dhcp excluded-address 192.168.101.1 192.168.101.50 ip dhcp excluded-address 192.168.250.1 192.168.250.50 ip dhcp excluded-address 192.168.1.101 192.168.1.105 ip dhcp excluded-address 192.168.2.1 192.168.2.51 ! ip dhcp pool Lan_Users import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.10 domain-name domain.com dns-server 8.8.8.8 ! ip dhcp pool WLan_Users import all network 192.168.101.0 255.255.255.0 default-router 192.168.101.1 domain-name domain.com dns-server 192.168.101.1 ! ip dhcp pool WLan_Users_Internet_Only import all network 192.168.250.0 255.255.255.0 default-router 192.168.250.1 domain-name domain.com dns-server 192.168.250.1 ! ip dhcp pool user1 host 192.168.1.105 255.255.255.0 client-identifier 0017.c4dd.5f18 ! ip dhcp pool IT_Users import all network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 192.168.2.1 domain-name domain.com ! ! ip cef no ip bootp server ip domain name bdomain.com ip host SP_SERVER 192.168.1.100 ip name-server 8.8.8.8 ip name-server xxx.xxx.xxx.xxx ip name-server xxx.xxx.xxx.xxx ip port-map user-Netsupport port tcp 5405 description Allow Netsupport from DMZ to LAN ip port-map user-Procontrol port tcp from 12301 to 12310 description Ports use by eGaps ip port-map user-BigAntIM-udp port udp 6662 description port used by BigAnt Messenger ip port-map user-BigAntIM-tcp port tcp from 6660 to 6661 description port used by BigAnt Messenger login block-for 30 attempts 5 within 60 no ipv6 cef ! multilink bundle-name authenticated ! vpdn enable ! vpdn-group 1 request-dialin protocol l2tp source-ip 192.168.1.1 !
parameter-map type urlfpolicy local message-blocked alert off block-page message "This webpage is temporary not available" parameter-map type regex ccp-regex-nonascii pattern [^\x00-\x80]
parameter-map type urlf-glob social-sites pattern *.sex.com
parameter-map type urlf-glob allow-other-sites pattern *
parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com
parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com
password encryption aes ! ! license udi pid CISCO1801/K9 sn FGL163320RX username xxxx password xxxxxx crypto ctcp port 10000 ! ! ip tcp synwait-time 10 ip ssh version 2 ! class-map type inspect match-any SDM_BOOTPC match access-group name SDM_BOOTPC class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-any ccp-cls-protocol-p2p match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature class-map type inspect match-all sdm-nat-http-1 match access-group name dmz-traffic match protocol http class-map type inspect match-any SDM_DHCP_CLIENT_PT match class-map SDM_BOOTPC class-map type inspect smtp match-any ccp-app-smtp match data-length gt 5000000 class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any ccp-skinny-inspect match protocol skinny class-map type inspect http match-any ccp-app-nonascii match req-resp header regex ccp-regex-nonascii class-map type inspect match-any ccp-cls-insp-traffic match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp class-map type inspect match-any dmz-to-lan-service match class-map ccp-cls-insp-traffic class-map type inspect match-all ccp-cls--1 match class-map dmz-to-lan-service match access-group name permit-dmz-to-lan class-map type inspect match-any sdm-cls-bootps match protocol bootps class-map match-any cls-internet-video match protocol http mime "application/x-shockwave-flash" match protocol http url "*.swf" match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4alatm" match protocol http url "*.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov" class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any dmz-to-lan-protocols match protocol icmp match protocol user-BigAntIM-tcp match protocol user-BigAntIM-udp match protocol user-Netsupport class-map type inspect match-all cls-dmz-to-lan-traffic match class-map dmz-to-lan-protocols match access-group name Lan-toDMZ class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type urlfilter match-any cls-social-sites match server-domain urlf-glob social-sites class-map type inspect match-any cls-dns match protocol dns class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any eGaps-services match protocol user-Procontrol match protocol tcp class-map type inspect match-all cls-eGaps-services match class-map eGaps-services match access-group name eGaps-to-DMZ class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type urlfilter match-any cls-allow-other-sites match server-domain urlf-glob allow-other-sites class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect match-any cls-https match protocol https class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT match access-group 103 match access-group 104 match access-group 105 class-map type inspect match-any cls-http match protocol http class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map match-any cls-unrestrictedip match access-group name unrestrictedip class-map type inspect match-all ccp-protocol-p2p match class-map ccp-cls-protocol-p2p class-map match-any social-web-access match protocol http host "fb.com" class-map match-all cls-denysocialnetworksschedule match access-group name denysocialnetworksschedule match class-map social-web-access class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-invalid-src match access-group 102 class-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method post match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel --More-- match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect match-any ccp-dmz-protocols match protocol http class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-all ccp-dmz-traffic match access-group name dmz-traffic match class-map ccp-dmz-protocols class-map type inspect http match-any ccp-http-blockparam match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect match-all ccp-protocol-smtp match protocol smtp class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect sdm-cls-bootps pass class type inspect ccp-icmp-access inspect class class-default pass policy-map drop-social-web-access-&-net-vid-flash class cls-unrestrictedip class cls-denysocialnetworksschedule drop policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1 inspect class class-default drop policy-map type inspect ccp-permit-dmzservice-lan class type inspect ccp-dmz-traffic inspect class type inspect sdm-nat-http-1 inspect class type inspect cls-dmz-to-lan-traffic inspect class type inspect cls-eGaps-services inspect class class-default drop policy-map type inspect urlfilter filter-web-access description Filtering LAN WebAccess parameter type urlfpolicy local message-blocked class type urlfilter cls-social-sites log reset class type urlfilter cls-allow-other-sites allow policy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log allow class type inspect http ccp-app-httpmethods log allow class type inspect http ccp-app-nonascii log allow policy-map type inspect smtp ccp-action-smtp class type inspect smtp ccp-app-smtp reset policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap log reset policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log reset policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http service-policy urlfilter filter-web-access class type inspect ccp-protocol-smtp inspect service-policy smtp ccp-action-smtp class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-p2p drop log class type inspect ccp-protocol-im pass log class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect drop log class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop policy-map type inspect ccp-policy-dmz-internet class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-im drop log class type inspect ccp-insp-traffic inspect class type inspect ccp-protocol-p2p drop log class class-default drop policy-map type inspect ccp-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect SDM_DHCP_CLIENT_PT pass class type inspect SDM_EASY_VPN_CTCP_SERVER_PT inspect class class-default drop policy-map type inspect ccp-policy-ccp-cls--1 class class-default drop policy-map type inspect ccp-permit-dmzservice class type inspect ccp-dmz-traffic inspect class type inspect sdm-nat-http-1 inspect class type inspect cls-dmz-to-lan-traffic inspect class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log ! zone security dmz-zone zone security ezvpn-zone zone security in-zone zone security out-zone zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice-lan zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone service-policy type inspect ccp-policy-dmz-internet zone-pair security dmz-in source dmz-zone destination in-zone service-policy type inspect ccp-permit-dmzservice-lan ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 10800 ! crypto isakmp client configuration group vpngrp key password dns 8.8.8.8 pool vpn_pool acl 101 max-users 5 crypto isakmp profile ciscocp-ike-profile-1 match identity group vpngrp client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set transformset esp-aes 256 esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 300 set transform-set transformset set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! interface Loopback0 description $FW_INSIDE$ ip address 10.10.7.1 255.255.255.0 zone-member security in-zone ! ! interface Null0 no ip unreachables ! interface ATM0 description $FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress zone-member security out-zone shutdown no atm ilmi-keepalive ! pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress encapsulation hdlc shutdown ! ! interface FastEthernet0 description WAN Interface$FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip virtual-reassembly zone-member security out-zone ip tcp adjust-mss 1452 duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no cdp enable ! ! interface FastEthernet1 description Vlan 100 Lan Users switchport access vlan 100 ! ! interface FastEthernet2 description Vlan 100 Lan Users switchport access vlan 100 ! ! interface FastEthernet3 description Vlan 102 WLan User with Internet Only switchport access vlan 102 ! ! interface FastEthernet4 description Vlan 102 WLan User with Internet Only switchport access vlan 102 ! ! interface FastEthernet5 description Vlan 101 WLan Users switchport access vlan 101 ! ! interface FastEthernet6 description Vlan 101 WLan Users switchport access vlan 101 ! ! interface FastEthernet7 description Trunk Ports switchport trunk native vlan 200 switchport mode trunk duplex full speed 100 ! ! interface FastEthernet8 description Trunk Ports switchport trunk native vlan 200 switchport mode trunk duplex full speed 100 ! ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 zone-member security ezvpn-zone tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip tcp adjust-mss 1452 ! ! interface Vlan100 description Gateway of LAN_Users$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan101 description Gateway of WLAN_Users$FW_INSIDE$ ip address 192.168.101.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan102 description Gateway of Wireless Users with Internet Only$FW_INSIDE$ ip address 192.168.250.1 255.255.255.0 ip access-group 150 in ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan120 description Gateway of Users of ISP2 (IT) ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan200 description Management$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ! interface Vlan300 description Gateway of DMZ$FW_DMZ$ ip address 192.168.200.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security dmz-zone ! ! interface Dialer0 no ip address no cdp enable ! ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip tcp adjust-mss 1410 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname xxx ppp chap password xxx ppp pap sent-username xxx password xxx no cdp enable ! ! ip local pool vpn_pool 10.10.6.101 10.10.6.110 no ip forward-protocol nd no ip http server ip http access-class 2 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip dns server ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 192.168.200.51 80 xxx.xxx.xxx.xxx 80 extendable ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.10.10.0 255.255.255.0 10.10.6.1 ! ip access-list standard unrestrictedip permit 192.168.1.100 permit 192.168.1.60 ! ip access-list extended Lan-toDMZ remark CCP_ACL Category=128 permit ip 192.168.1.0 0.0.0.255 host 192.168.200.51 permit ip 192.168.101.0 0.0.0.255 host 192.168.200.51 permit ip 192.168.250.0 0.0.0.255 host 192.168.200.51 permit ip 10.10.6.0 0.0.0.255 host 192.168.200.51 ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_BOOTPC remark CCP_ACL Category=0 permit udp any any eq bootpc ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark CCP_ACL Category=1 permit ip any any ip access-list extended denysocialnetworksschedule permit ip any any time-range no-social-sites permit ip any any time-range no-social-sites-2 ip access-list extended dmz-traffic remark CCP_ACL Category=1 permit ip any host 192.168.200.51 ip access-list extended dmznotoeGaps deny ip host 192.168.200.51 host 192.168.1.100 log deny ip host 192.168.1.100 host 192.168.200.51 log permit ip any any ip access-list extended eGaps-to-DMZ remark Allow DMZ to access eGaps permit ip host 192.168.1.100 host 192.168.200.51 permit ip host 192.168.200.51 host 192.168.1.100 ip access-list extended no-cisco deny tcp any host 96.16.224.170 eq www permit ip any any ip access-list extended permit-dmz-to-lan remark CCP_ACL Category=128 permit ip host 192.168.200.51 192.168.1.0 0.0.0.255 ! access-list 1 remark Allow to NAT on ISP1(BAYANTEL) access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.101.0 0.0.0.255 access-list 1 permit 192.168.250.0 0.0.0.255 access-list 1 permit 192.168.200.0 0.0.0.255 access-list 2 permit 192.168.1.105 access-list 2 permit 192.168.1.104 access-list 2 permit 10.10.10.2 access-list 2 permit 192.168.1.101 access-list 2 remark Allow to remote Cisco1801 access-list 2 permit 192.168.1.100 access-list 2 permit 192.168.1.103 access-list 2 permit 192.168.1.102 access-list 2 permit 10.10.6.102 access-list 2 permit 10.10.6.103 access-list 2 permit 10.10.6.101 access-list 2 permit 10.10.6.106 access-list 2 permit 10.10.6.104 access-list 2 permit 10.10.6.105 access-list 2 permit 10.10.6.0 0.0.0.255 access-list 20 remark Allow to NAT on ISP2(PLDT) access-list 20 permit 192.160.2.0 0.0.0.255 access-list 20 permit 192.160.200.0 0.0.0.255 access-list 100 remark DMZandServerOfeGapsHasNoCommunication access-list 100 deny ip host 192.168.1.100 host 192.168.200.51 log access-list 100 deny ip host 192.168.200.51 host 192.168.1.100 log access-list 100 permit ip any any access-list 101 remark CCP_ACL Category=4 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.101.0 0.0.0.255 any access-list 101 permit ip 192.168.200.0 0.0.0.255 any access-list 101 permit ip 192.168.250.0 0.0.0.255 any access-list 102 remark CCP_ACL Category=128 access-list 102 permit ip host 255.255.255.255 any access-list 102 permit ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip 125.212.93.0 0.0.0.255 any access-list 102 permit ip 192.168.200.0 0.0.0.255 any access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp any any eq 10000 access-list 104 remark CCP_ACL Category=1 access-list 104 permit tcp any any eq 10000 access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp any any eq 10000 access-list 150 remark no-cisco access-list 150 remark DenyInternetUsersToeGaps access-list 150 deny ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255 log access-list 150 permit ip any any dialer-list 1 protocol ip permit no cdp run
! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 access-class 2 in exec-timeout 5 0 logging synchronous exec prompt timestamp length 5 transport input ssh line vty 5 15 access-class 2 in exec-timeout 5 0 logging synchronous exec prompt timestamp length 5 transport input ssh ! scheduler allocate 4000 1000 scheduler interval 500 time-range no-social-sites periodic weekdays 8:00 to 11:55 ! time-range no-social-sites-2 periodic weekdays 13:00 to 17:00 ! end
|
|
|
to jeffbor
said by jeffbor:I don't know if this good but it is working. If it works, then that's good enough short of using the previously given suggestions. said by jeffbor:I want also block a flash and ads on web..but I can't make it. Cheaper / Easier way to block ads is via the endhosts' host file, honestly. Just my 00000010bits. Regards |
|