Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking Websites using ACL

Status
Not open for further replies.

skk391

Technical User
Mar 3, 2009
332
GB
Hi,

Can someone please help me with the following please.

I have a router 2 fa interfaces connect to two different networks. I am working on int fa 0/0

I have a dialer1 int whihc provides internet connection.

I have configured ip inspect so that any host from the int fa 0/0 network can access the internet as long as the connection was initiated from within that network.

How do I go about blocking certain website?

I thought that I could do about create a dns server on the router. Which I think I have done and then create a ACL to block the websites. The domain name to ip address translation is carried out by the router but the blocking is not carried out.

Where would I implement the ACL. on the dialer1 interface in the in direction ?

How do I get around block large sites such as which may have mulitple ip addresses?

I have tried to put the ACL in the dialer1 interface in both the in and out direction and also on the Int fa 0/0 interface with no luck so I am going passing it the guys here, see if any one can help.

config


Router#show config
Using 3766 out of 57336 bytes
!
! Last configuration change at 15:47:06 PCTime Tue May 10 2011
! NVRAM config last updated at 15:47:09 PCTime Tue May 10 2011
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip inspect name ALLOW_INT http
ip inspect name ALLOW_INT https
ip inspect name ALLOW_INT dns
ip inspect name ALLOW_INT smtp
ip inspect name ALLOW_INT icmp
ip inspect name ALLOW_INT tcp
ip inspect name ALLOW_INT udp
ip inspect name tctp_out tcp
ip inspect name tctp_out udp
no ip dhcp use vrf connected
!
ip dhcp pool sec_pool
network 192.168.0.0 255.255.255.192
domain-name s7528752725
default-router 192.168.0.5
dns-server 192.168.0.1
lease 5
!
ip dhcp pool sec-pool
domain-name 752727752
!
!
ip name-server 192.168.0.1
ip name-server 208.67.222.222
!
!
!
!
username 7272727 privilege 15 password 0 52752752
!
!
!
!
!
!
!
interface ATM0/0
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.192
ip access-group 102 in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.26 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
!
interface Dialer1
description ***A72272572752727521***
ip address 272727272727 255.255.255.254
ip access-group 101 in
ip inspect ALLOW_INT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B2727272
ppp chap password 0 s725725272
!
ip local pool SDM_POOL_1 192.168.0.60 192.168.0.62
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 25 217.34.41.55 25 extendable
ip nat inside source static tcp 192.168.0.1 8745 217.34.41.55 8745 extendable
ip dns server
!
no logging trap
logging source-interface FastEthernet0/1
access-list 1 permit 192.168.0.0 0.0.0.63
access-list 101 permit tcp host 572752752727 host 7527527527527272 eq 8745
access-list 101 deny tcp any any eq www
access-list 101 deny ip any any log
access-list 102 permit tcp host 7272727272727 host 727272572752725 eq 8745
access-list 102 deny tcp any host 212.58.244.71 eq www
access-list 102 deny tcp any host 66.220.147.22 eq www
access-list 102 permit ip any any
access-list 110 permit ip host 10.1.1.85 host 10.1.1.26
access-list 110 permit tcp host 10.1.1.85 host 10.1.1.26
access-list 110 permit ip 192.168.0.0 0.0.0.63 host 10.1.1.8
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 source-quench
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 parameter-problem
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 packet-too-big
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255 echo
access-list 110 permit icmp 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.63 10.1.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
banner motd ^C
tghdbdbgdbdfbfdbfdgbfdb
^C
!
line con 0
password
line aux 0
line vty 0 4
exec-timeout 0 0
password
login
!
!
 
To do what you want you need a firewall (ASA), firewall IOS (ZBF), or get a Websense server to restrict web access.

Packet filters (access-lists) are too broad brush for what you want to do.
 
Hi, Thanks for the reply. I should have an ASA 5510 by the end of the month ( any experience in configuring one of these ? ), but just wanted to see if I could do this with ACL's I have been playing with it for round 2 days now and cant get it to work. However there are articles on the web that say that it does work when used with an DNS server.


I take it that the ACL should be applied to the dialer 1 interface on a inbound direction been as I have ip inspect rules in the outbound direction. What happens it you have ip inspection rules and ACL's on the same interface. The inspection rules are opening a hole in the fireall dynmacially while the ACL is blocking. I think from my testing the inspection rule wins???

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top