URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 1442
[ Назад ]

Исходное сообщение
"Закрыть доступ к определенным сайтам на cisco 1801"

Отправлено nals783 , 15-Авг-14 14:23 
Добрый день!
Помогите пожалуйста, возникла такая необходимость, что нужно заблокировать доступ всем пользователям на определенные сайты. Пытаюсь это сделать в разделе "parameter-map type urlf-glob InternetDeny", но ничего не выходит.

конфиг циски:


Using 13572 out of 196600 bytes


version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname ххх
!
boot-start-marker
boot-end-marker
!
logging buffered 24096
!
aaa new-model
!
!
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa accounting network default
action-type start-stop
group tacacs+
!
aaa accounting connection default
action-type start-stop
group tacacs+
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone MSK 4
!
!
dot11 syslog
ip source-route
ip arp proxy disable
!
!
!
!
ip cef
no ip domain lookup
ip domain name ххх
ip name-server 192.168.50.254
ip name-server 192.168.253.6
ip inspect WAAS flush-timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type urlf-glob WebMAIL
pattern *.mail.ru
pattern *.yandex.ru
pattern yandex.ru
pattern mail.ru
pattern ххх
pattern ххх
pattern ххх

parameter-map type urlf-glob InternetDeny            //вот тут будет список запрещенных сайтов
pattern odnoklassniki.ru

parameter-map type urlf-glob InternetAllow
pattern *

!
!
license udi pid ххх sn ххх
archive
log config
  hidekeys
object-group network Host-URL-Filter
host 192.168.214.121
host 192.168.214.123
host 192.168.214.127
host 192.168.214.129
host 192.168.214.131
host 192.168.214.125
!
object-group service Service-URL-Filter
tcp eq www
tcp eq 443
tcp eq pop3
tcp eq smtp
tcp eq 143
tcp eq 993
tcp eq 5500
tcp eq 5901
tcp eq 5800
tcp eq 5900
tcp eq 16384
tcp eq 32768
tcp eq 8083
tcp range 16384 32768
!
!
no spanning-tree vlan 2
no spanning-tree vlan 801
username ххх

!
!
ip tftp source-interface Loopback0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
!
class-map type urlfilter match-any InternetDeny
match  server-domain urlf-glob InternetDeny
class-map type inspect match-any AllowALL
match protocol http
class-map type inspect match-any Mail
match protocol pop3s
match protocol imap
match protocol imap3
match protocol imaps
match protocol smtp
match protocol pop3
match protocol dns
match access-group name acl-nat-kontinent
class-map type inspect match-any Host-URL-Filter
match access-group name acl-webfilter-host
class-map type inspect match-all HTTPTRAFFIC
match protocol http
match class-map Host-URL-Filter
class-map type urlfilter match-any WebMAIL
match  server-domain urlf-glob WebMAIL
class-map type urlfilter match-any InternetAllow
match  server-domain urlf-glob InternetAllow
class-map type inspect match-any InternalTraffic
match protocol dns
match protocol icmp
match protocol smtp
match protocol ftp
match protocol pop3
match protocol http
match protocol https
match protocol pptp
match protocol l2tp
match protocol pop3s
match protocol imap
match protocol imap3
match protocol imaps
!
!
policy-map type inspect urlfilter URLFILTER
class type urlfilter WebMAIL
  allow
class type urlfilter InternetDeny
  reset
policy-map type inspect urlfilter ALLOW
class type urlfilter InternetAllow
  allow
policy-map type inspect WebFilter
class type inspect Mail
  inspect
class type inspect HTTPTRAFFIC
  inspect
  service-policy urlfilter URLFILTER
class type inspect AllowALL
  inspect
  service-policy urlfilter ALLOW
class type inspect InternalTraffic
  inspect
class class-default
  drop
!
zone security inside
zone security outside
zone-pair security WebFilter source inside destination outside
service-policy type inspect WebFilter
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ххх address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set DMVPN-Trans esp-aes esp-md5-hmac
mode transport
crypto ipsec transform-set dmvpn-transform esp-aes
crypto ipsec transform-set dmvpn-trans-transform esp-aes
mode transport
!
crypto ipsec profile dmvpn_ipsec_prof
set security-association lifetime seconds 300
set transform-set esp-3des-sha
!
crypto ipsec profile dmvpn_ipsec_prof-1
set security-association lifetime seconds 300
set transform-set DMVPN-Trans
!
crypto ipsec profile dmvpn_profile
set security-association lifetime seconds 300
set transform-set dmvpn-transform
!
crypto ipsec profile dmvpn_trans_profile
set security-association lifetime seconds 300
set transform-set dmvpn-trans-transform
!
!
!
!
!
bba-group pppoe global
!
!
interface Loopback0
ip address ххх 255.255.255.255
zone-member security inside
!
!
interface Tunnel7
description EVO transport tunnel
ip address ххх 255.255.255.0
no ip redirects
ip nhrp authentication brpoint
ip nhrp map multicast ххх
ip nhrp map ххх ххх
ip nhrp map ххх ххх
ip nhrp map multicast ххх
ip nhrp network-id 7
ip nhrp holdtime 300
ip nhrp nhs ххх
ip nhrp nhs ххх
ip nhrp shortcut
ip nhrp redirect
zone-member security inside
ip tcp adjust-mss 1452
ip ospf network point-to-multipoint
ip ospf hello-interval 3
ip ospf dead-interval 9
ip ospf priority 0
delay 1000
keepalive 10 3
tunnel source FastEthernet0.70
tunnel mode gre multipoint
tunnel key ххх
tunnel protection ipsec profile dmvpn_profile
!
!
interface Tunnel9
description VT transport tunnel
ip address ххх 255.255.255.0
no ip redirects
ip hold-time eigrp 73 35
no ip next-hop-self eigrp 73
ip nhrp authentication brpoint
ip nhrp map multicast ххх
ip nhrp map ххх ххх
ip nhrp network-id 5
ip nhrp holdtime 300
ip nhrp nhs ххх
zone-member security inside
ip tcp adjust-mss 1452
no ip split-horizon eigrp 73
delay 1000
keepalive 10 3
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key ххх
tunnel protection ipsec profile dmvpn_ipsec_prof-1
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode itu-dmt
dsl bitswap both
!
pvc 0/33
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0.70
description EVO
encapsulation dot1Q 70
ip address ххх 255.255.255.0
ip flow ingress
ip flow egress
no cdp enable
!
interface FastEthernet1
switchport access vlan 801
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
switchport access vlan 2
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan2
ip address ххх 255.255.255.0
ip access-group acl-localnet in
ip access-group shares out
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security inside
ip tcp adjust-mss 1452
!
!
interface Vlan801
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2
!
!
interface Dialer1
ip address negotiated
ip access-group acl-vt in
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ххх
ppp chap password ххх
ppp pap sent-username ххх
ppp ipcp dns accept
ppp ipcp address accept
no cdp enable
!
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security outside
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname ххх
ppp chap password ххх
ppp pap sent-username ххх
ppp ipcp dns accept
ppp ipcp address accept
no cdp enable
!
!
!
router eigrp 73
metric weights 0 0 0 1 0 0
network ххх
network ххх
network ххх
distance eigrp 120 120
passive-interface default
no passive-interface Tunnel9
eigrp router-id ххх
eigrp stub connected
!
router ospf 1
router-id ххх
log-adjacency-changes
area 7 nssa
redistribute connected metric-type 1 subnets
passive-interface default
no passive-interface Tunnel7
network ххх 0.0.0.255 area 7
distribute-list prefix ospf out
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination ххх 9996
!
ip nat inside source list acl-nat-internet interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route ххх 255.255.255.255 Dialer1
ip route ххх 255.255.0.0 Null0
ip route ххх 255.255.0.0 Tunnel7
ip tacacs source-interface Loopback0
!
ip access-list standard acl-line
permit ххх
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
permit 172.0.0.0 0.255.255.255
permit 1.1.1.0 0.0.0.255
permit 2.2.2.0 0.0.0.255
permit 4.4.4.0 0.0.0.255
permit 5.5.5.0 0.0.0.255
permit 6.6.6.0 0.0.0.255
permit 7.7.7.0 0.0.0.255
permit 8.8.8.0 0.0.0.255
permit 9.9.9.0 0.0.0.255
deny   any
!
ip access-list extended acl-localnet
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.65 eq www
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.66 eq www
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.65 eq 443
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.66 eq 443
permit ip 192.168.214.0 0.0.0.255 host 192.168.49.202
permit tcp 192.168.214.0 0.0.0.255 host ххх eq 8443
permit tcp 192.168.214.0 0.0.0.255 host ххх eq 8083
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.74 eq smtp
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.74 eq pop3
permit icmp 192.168.214.0 0.0.0.255 any
permit tcp 192.168.214.0 0.0.0.255 host 192.168.51.110 eq www
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.50 eq 1433
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.51 eq 1433
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.52 eq 1433
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.111 eq 1433
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.111 eq www
permit udp 192.168.214.0 0.0.0.255 host 192.168.50.254 eq domain
permit udp 192.168.214.0 0.0.0.255 host 192.168.253.6 eq domain
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.58 eq 3389
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.111 eq 3389
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.111 eq 8888
permit tcp 192.168.214.0 0.0.0.255 eq 5900 192.168.0.0 0.0.255.255
permit tcp 192.168.214.0 0.0.0.255 eq www 192.168.0.0 0.0.255.255
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.21 eq 13000
permit ip 192.168.214.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.214.0 0.0.0.255 192.168.214.0 0.0.0.255
permit udp 192.168.214.0 0.0.0.255 any range 16384 32768
permit udp 192.168.214.0 0.0.0.255 host 192.168.51.222
permit tcp 192.168.214.0 0.0.0.255 host 192.168.51.222 eq 2000
permit tcp 192.168.214.0 0.0.0.255 host 192.168.51.222 eq 6970
permit udp 192.168.214.0 0.0.0.255 host 192.168.49.202
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.202 eq 2000
permit tcp 192.168.214.0 0.0.0.255 host 192.168.49.202 eq 6970
permit object-group Service-URL-Filter object-group Host-URL-Filter any
deny   ip object-group Host-URL-Filter any
deny   ip 192.168.214.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.214.0 0.0.0.255 any
ip access-list extended acl-nat-internet
permit ip 192.168.214.0 0.0.0.255 any
ip access-list extended acl-nat-kontinent
permit tcp any any eq 7500
permit tcp any any eq 4433
permit udp any any eq 7500
permit udp any any eq 4433
ip access-list extended acl-vt
permit tcp 192.168.214.0 0.0.0.255 host 192.168.253.94
permit icmp any any
permit esp any any
permit ahp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp host ххх any
permit tcp ххх 0.0.0.15 any
ip access-list extended acl-webfilter-host
permit ip object-group Host-URL-Filter any
ip access-list extended shares
deny   tcp any any range 135 139
deny   tcp any any eq 445
deny   tcp any range 135 139 any
deny   tcp any eq 445 any
permit ip any any
!
!
ip prefix-list ospf seq 5 permit 2.2.2.0/24 le 32
ip prefix-list ospf seq 10 permit 192.168.214.0/24 le 32
logging trap debugging
logging facility local2
no cdp run

!
!
!
!


!
tacacs-server host 192.168.49.225 key ххх
tacacs-server host 192.168.55.225 key ххх
tacacs-server timeout 2
tacacs-server directed-request
!
control-plane
!
!
bridge 1 protocol ieee
!
line con 0
line aux 0
line vty 0 4
access-class acl-line in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp peer 192.168.253.6
end



Содержание

Сообщения в этом обсуждении
"Закрыть доступ к определенным сайтам на cisco 1801"
Отправлено Mr. Mistoffelees , 15-Авг-14 15:59 
Привет,

> Помогите пожалуйста, возникла такая необходимость, что нужно заблокировать доступ всем
> пользователям на определенные сайты. Пытаюсь это сделать в разделе "parameter-map type
> urlf-glob InternetDeny", но ничего не выходит.
> конфиг циски:
> parameter-map type urlf-glob InternetDeny        
>  pattern odnoklassniki.ru

Эт' хорошо.

> class-map type urlfilter match-any InternetDeny
>  match  server-domain urlf-glob InternetDeny

Эт' хорошо.

> policy-map type inspect urlfilter URLFILTER
>  class type urlfilter InternetDeny
>   reset

Эт' хорошо... а где у вас этот URLFILTER прописан? Например, вот так:

policy-map type inspect in->out
  class type inspect filtered-hosts
    inspect
    service-policy urlfilter URLFILTER

WWell,


"Закрыть доступ к определенным сайтам на cisco 1801"
Отправлено Merridius , 15-Авг-14 20:26 
>[оверквотинг удален]
> Эт' хорошо.
>> policy-map type inspect urlfilter URLFILTER
>>  class type urlfilter InternetDeny
>>   reset
> Эт' хорошо... а где у вас этот URLFILTER прописан? Например, вот так:
> policy-map type inspect in->out
>   class type inspect filtered-hosts
>     inspect
>     service-policy urlfilter URLFILTER
> WWell,

Как сказал коллега выше, необходимо использовать либо ZBPF, либо CBAF. Туда уже и навешивается url фильтрация.