How to block certain web sites

Discussion in 'Cisco' started by NextLevel, Feb 23, 2006.

  1. NextLevel

    NextLevel Guest

    How can I block specific web sites from being viewed. I am using a
    4500m router between my internal network and the internet. I have tried
    using ACL's but can't seem to get them to work correctly. Any help will
    be greatly appreciated.
    NextLevel, Feb 23, 2006
    1. Advertisements

  2. NextLevel

    NETADMIN Guest


    I have done this on PIX.

    Use following commands:
    access-list outbound deny tcp any host eq www
    ((with this access-list you can deny any tcp packet from inside to
    access the website hosted on at port www(80)))

    access-group outbound in interface inside
    ((then apply this access-rule in interface inside))

    Hope this will work.



    "people says i am wrong,what can i say blood says itself B+"
    NETADMIN, Feb 23, 2006
    1. Advertisements

  3. NextLevel

    NextLevel Guest

    Does not seem to work. I have applied as you suggested but it blocks
    all www traffic.
    NextLevel, Feb 23, 2006
  4. NextLevel

    Wil Guest

    You will need to add a permit any statement below the deny statement.

    If this doesn't work port a sanitised config.

    Wil, Feb 24, 2006
  5. NextLevel

    NETADMIN Guest


    You have to give command :
    access-list outbound permit ip any any
    in the end of the accesslist

    Try this waitnig for response

    NETADMIN, Feb 24, 2006
  6. NextLevel

    NextLevel Guest

    I'll give that a try this evening, Thanks for the help. I am still
    learning the Access-List features of CISCO IOS. It will sink in
    eventually !
    NextLevel, Feb 24, 2006
  7. NextLevel

    NextLevel Guest

    One more question, say I want to block a range of address. Can I just
    place say to block through 255 ?
    NextLevel, Feb 24, 2006
  8. NextLevel

    NETADMIN Guest

    For blocking range of addresses you have to give following command:

    access-list outbound deny tcp any host eq

    Hope this will work.

    Do tell us if this help

    NETADMIN, Feb 24, 2006
  9. The OP indicated that the equipment is a 4500 series with IOS. The
    above ACL would work on a PIX but not under IOS:

    a) IOS only allows named access lists in the extended format
    that puts the individual entries on the lines below -without-
    the 'access-list' prefix;

    b) Under IOS, wildcard bits are used instead of selection bits.

    c) 'host' and a netmask cannot be used together for the same item.

    Thus the appropriate entry would look something like

    access-list 101 deny tcp any eq www
    Walter Roberson, Feb 24, 2006
  10. NextLevel

    NETADMIN Guest

    Thanks Walter for correcting me.

    Its true that my given access-list will work on PIX and the accesslist
    given by you will work
    with 4500m with IOS.

    I checked it.

    NETADMIN, Feb 24, 2006
  11. Not quite. You had

    access-list outbound deny tcp any host eq www

    which will not work on the PIX because of the extra 'host' keyword.
    Walter Roberson, Feb 24, 2006
  12. NextLevel

    NextLevel Guest

    Thanks gentlemen.....I figured for the router I would use the extended
    ACL. I think the only thing I forgot was the permit any any at the end
    of the ACL list. I will try this when I get home this evening and post
    the result. Again, thank you both
    NextLevel, Feb 24, 2006
  13. NextLevel

    NextLevel Guest

    Ok, this is what I have in the config:

    interface Ethernet2
    ip address
    ip access-group 101 out
    ip nat inside
    no ip mroute-cache
    media-type auto-select

    access-list 101 deny tcp any eq www
    access-list 101 permit ip any any

    It is still allowing all packets to pass. I an not sure what I am doing
    wrong but I need to figure this out. Like I mentioned before, I am
    still learning ACL's so please bear with me on this. So far you guys
    have been a great help. Please keep it coming....
    NextLevel, Feb 25, 2006
  14. NextLevel

    Wil Guest

    This is the inside interface, you should apply it as "in" instead of
    "out". Or better yet, apply the ACL to the outside interface as "out".

    Keep in mind that all traffic exiting this interface will be on the
    192.168.1.X subnet.

    Wil, Feb 25, 2006
  15. NextLevel

    NextLevel Guest

    That did the trick. I do not know hwy I was applying the ACL out to the
    inside interface. Well, I learned a lot from you all. Thank you very
    NextLevel, Feb 25, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.