How to block certain web sites

Discussion in 'Cisco' started by NextLevel, Feb 23, 2006.

  1. NextLevel

    NextLevel Guest

    How can I block specific web sites from being viewed. I am using a
    4500m router between my internal network and the internet. I have tried
    using ACL's but can't seem to get them to work correctly. Any help will
    be greatly appreciated.
     
    NextLevel, Feb 23, 2006
    #1
    1. Advertisements

  2. NextLevel

    NETADMIN Guest

    Hi,

    I have done this on PIX.

    Use following commands:
    access-list outbound deny tcp any host 203.199.76.46 eq www
    ((with this access-list you can deny any tcp packet from inside to
    access the website hosted on 203.199.76.46 at port www(80)))

    access-group outbound in interface inside
    ((then apply this access-rule in interface inside))

    Hope this will work.


    Chetan

    CK-NET

    "people says i am wrong,what can i say blood says itself B+"
     
    NETADMIN, Feb 23, 2006
    #2
    1. Advertisements

  3. NextLevel

    NextLevel Guest

    Does not seem to work. I have applied as you suggested but it blocks
    all www traffic.
     
    NextLevel, Feb 23, 2006
    #3
  4. NextLevel

    Wil Guest

    You will need to add a permit any statement below the deny statement.

    If this doesn't work port a sanitised config.

    -Wil
     
    Wil, Feb 24, 2006
    #4
  5. NextLevel

    NETADMIN Guest

    Hi,

    You have to give command :
    access-list outbound permit ip any any
    in the end of the accesslist

    Try this waitnig for response


    CK-NET
     
    NETADMIN, Feb 24, 2006
    #5
  6. NextLevel

    NextLevel Guest

    I'll give that a try this evening, Thanks for the help. I am still
    learning the Access-List features of CISCO IOS. It will sink in
    eventually !
     
    NextLevel, Feb 24, 2006
    #6
  7. NextLevel

    NextLevel Guest

    One more question, say I want to block a range of address. Can I just
    place say 203.216.30.0 to block 203.216.30.1 through 255 ?
     
    NextLevel, Feb 24, 2006
    #7
  8. NextLevel

    NETADMIN Guest

    For blocking range of addresses you have to give following command:

    access-list outbound deny tcp any host 203.216.30.0 255.255.255.0 eq
    www

    Hope this will work.

    Do tell us if this help

    CK-NET
    "B+"
     
    NETADMIN, Feb 24, 2006
    #8
  9. The OP indicated that the equipment is a 4500 series with IOS. The
    above ACL would work on a PIX but not under IOS:

    a) IOS only allows named access lists in the extended format
    that puts the individual entries on the lines below -without-
    the 'access-list' prefix;

    b) Under IOS, wildcard bits are used instead of selection bits.

    c) 'host' and a netmask cannot be used together for the same item.

    Thus the appropriate entry would look something like

    access-list 101 deny tcp any 203.216.30.0 0.0.0.255 eq www
     
    Walter Roberson, Feb 24, 2006
    #9
  10. NextLevel

    NETADMIN Guest

    Thanks Walter for correcting me.

    Its true that my given access-list will work on PIX and the accesslist
    given by you will work
    with 4500m with IOS.

    I checked it.

    CK-NET
     
    NETADMIN, Feb 24, 2006
    #10
  11. Not quite. You had

    access-list outbound deny tcp any host 203.216.30.0 255.255.255.0 eq www

    which will not work on the PIX because of the extra 'host' keyword.
     
    Walter Roberson, Feb 24, 2006
    #11
  12. NextLevel

    NextLevel Guest

    Thanks gentlemen.....I figured for the router I would use the extended
    ACL. I think the only thing I forgot was the permit any any at the end
    of the ACL list. I will try this when I get home this evening and post
    the result. Again, thank you both
     
    NextLevel, Feb 24, 2006
    #12
  13. NextLevel

    NextLevel Guest

    Ok, this is what I have in the config:

    interface Ethernet2
    ip address 192.168.1.1 255.255.255.0
    ip access-group 101 out
    ip nat inside
    no ip mroute-cache
    media-type auto-select




    access-list 101 deny tcp any 63.208.226.0 0.0.0.255 eq www
    access-list 101 permit ip any any


    It is still allowing all packets to pass. I an not sure what I am doing
    wrong but I need to figure this out. Like I mentioned before, I am
    still learning ACL's so please bear with me on this. So far you guys
    have been a great help. Please keep it coming....
     
    NextLevel, Feb 25, 2006
    #13
  14. NextLevel

    Wil Guest

    This is the inside interface, you should apply it as "in" instead of
    "out". Or better yet, apply the ACL to the outside interface as "out".

    Keep in mind that all traffic exiting this interface will be on the
    192.168.1.X subnet.

    -Wil
     
    Wil, Feb 25, 2006
    #14
  15. NextLevel

    NextLevel Guest

    That did the trick. I do not know hwy I was applying the ACL out to the
    inside interface. Well, I learned a lot from you all. Thank you very
    much.
     
    NextLevel, Feb 25, 2006
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.