Hi,
Can someone please help me with the following please.
I have a router 2 fa interfaces connect to two different networks. I am working on int fa 0/0
I have a dialer1 int whihc provides internet connection.
I have configured ip inspect so that any host from the int fa 0/0 network can access the internet as long as the connection was initiated from within that network.
How do I go about blocking certain website?
I thought that I could do about create a dns server on the router. Which I think I have done and then create a ACL to block the websites. The domain name to ip address translation is carried out by the router but the blocking is not carried out.
Where would I implement the ACL. on the dialer1 interface in the in direction ?
How do I get around block large sites such as which may have mulitple ip addresses?
I have tried to put the ACL in the dialer1 interface in both the in and out direction and also on the Int fa 0/0 interface with no luck so I am going passing it the guys here, see if any one can help.
config
Router#show config
Using 3766 out of 57336 bytes
!
! Last configuration change at 15:47:06 PCTime Tue May 10 2011
! NVRAM config last updated at 15:47:09 PCTime Tue May 10 2011
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip inspect name ALLOW_INT http
ip inspect name ALLOW_INT https
ip inspect name ALLOW_INT dns
ip inspect name ALLOW_INT smtp
ip inspect name ALLOW_INT icmp
ip inspect name ALLOW_INT tcp
ip inspect name ALLOW_INT udp
ip inspect name tctp_out tcp
ip inspect name tctp_out udp
no ip dhcp use vrf connected
!
ip dhcp pool sec_pool
network 192.168.0.0 255.255.255.192
domain-name s7528752725
default-router 192.168.0.5
dns-server 192.168.0.1
lease 5
!
ip dhcp pool sec-pool
domain-name 752727752
!
!
ip name-server 192.168.0.1
ip name-server 208.67.222.222
!
!
!
!
username 7272727 privilege 15 password 0 52752752
!
!
!
!
!
!
!
interface ATM0/0
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.192
ip access-group 102 in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.26 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
!
interface Dialer1
description ***A72272572752727521***
ip address 272727272727 255.255.255.254
ip access-group 101 in
ip inspect ALLOW_INT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B2727272
ppp chap password 0 s725725272
!
ip local pool SDM_POOL_1 192.168.0.60 192.168.0.62
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 25 217.34.41.55 25 extendable
ip nat inside source static tcp 192.168.0.1 8745 217.34.41.55 8745 extendable
ip dns server
!
no logging trap
logging source-interface FastEthernet0/1
access-list 1 permit 192.168.0.0 0.0.0.63
access-list 101 permit tcp host 572752752727 host 7527527527527272 eq 8745
access-list 101 deny tcp any any eq www
access-list 101 deny ip any any log
access-list 102 permit tcp host 7272727272727 host 727272572752725 eq 8745
access-list 102 deny tcp any host 212.58.244.71 eq www
access-list 102 deny tcp any host 66.220.147.22 eq www
access-list 102 permit ip any any
access-list 110 permit ip host 10.1.1.85 host 10.1.1.26
access-list 110 permit tcp host 10.1.1.85 host 10.1.1.26
access-list 110 permit ip 192.168.0.0 0.0.0.63 host 10.1.1.8
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 source-quench
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 parameter-problem
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 packet-too-big
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 echo
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
banner motd ^C
tghdbdbgdbdfbfdbfdgbfdb
^C
!
line con 0
password
line aux 0
line vty 0 4
exec-timeout 0 0
password
login
!
!
Can someone please help me with the following please.
I have a router 2 fa interfaces connect to two different networks. I am working on int fa 0/0
I have a dialer1 int whihc provides internet connection.
I have configured ip inspect so that any host from the int fa 0/0 network can access the internet as long as the connection was initiated from within that network.
How do I go about blocking certain website?
I thought that I could do about create a dns server on the router. Which I think I have done and then create a ACL to block the websites. The domain name to ip address translation is carried out by the router but the blocking is not carried out.
Where would I implement the ACL. on the dialer1 interface in the in direction ?
How do I get around block large sites such as which may have mulitple ip addresses?
I have tried to put the ACL in the dialer1 interface in both the in and out direction and also on the Int fa 0/0 interface with no luck so I am going passing it the guys here, see if any one can help.
config
Router#show config
Using 3766 out of 57336 bytes
!
! Last configuration change at 15:47:06 PCTime Tue May 10 2011
! NVRAM config last updated at 15:47:09 PCTime Tue May 10 2011
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip inspect name ALLOW_INT http
ip inspect name ALLOW_INT https
ip inspect name ALLOW_INT dns
ip inspect name ALLOW_INT smtp
ip inspect name ALLOW_INT icmp
ip inspect name ALLOW_INT tcp
ip inspect name ALLOW_INT udp
ip inspect name tctp_out tcp
ip inspect name tctp_out udp
no ip dhcp use vrf connected
!
ip dhcp pool sec_pool
network 192.168.0.0 255.255.255.192
domain-name s7528752725
default-router 192.168.0.5
dns-server 192.168.0.1
lease 5
!
ip dhcp pool sec-pool
domain-name 752727752
!
!
ip name-server 192.168.0.1
ip name-server 208.67.222.222
!
!
!
!
username 7272727 privilege 15 password 0 52752752
!
!
!
!
!
!
!
interface ATM0/0
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.192
ip access-group 102 in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.26 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
!
interface Dialer1
description ***A72272572752727521***
ip address 272727272727 255.255.255.254
ip access-group 101 in
ip inspect ALLOW_INT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B2727272
ppp chap password 0 s725725272
!
ip local pool SDM_POOL_1 192.168.0.60 192.168.0.62
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 25 217.34.41.55 25 extendable
ip nat inside source static tcp 192.168.0.1 8745 217.34.41.55 8745 extendable
ip dns server
!
no logging trap
logging source-interface FastEthernet0/1
access-list 1 permit 192.168.0.0 0.0.0.63
access-list 101 permit tcp host 572752752727 host 7527527527527272 eq 8745
access-list 101 deny tcp any any eq www
access-list 101 deny ip any any log
access-list 102 permit tcp host 7272727272727 host 727272572752725 eq 8745
access-list 102 deny tcp any host 212.58.244.71 eq www
access-list 102 deny tcp any host 66.220.147.22 eq www
access-list 102 permit ip any any
access-list 110 permit ip host 10.1.1.85 host 10.1.1.26
access-list 110 permit tcp host 10.1.1.85 host 10.1.1.26
access-list 110 permit ip 192.168.0.0 0.0.0.63 host 10.1.1.8
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 source-quench
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 parameter-problem
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 packet-too-big
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 echo
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
banner motd ^C
tghdbdbgdbdfbfdbfdgbfdb
^C
!
line con 0
password
line aux 0
line vty 0 4
exec-timeout 0 0
password
login
!
!