Cisco 851 Router - Block Webpages

[snSentax]

Hi everyone, I have a Cisco 851 router in our office and we need to block all access to certain domain names. Is there a way to do this with the Cisco 851?

Thanks

 

[Minue]

Hello
Does the router support NBAR?Also turn on "ip cef".The below should do the trick.

Router(config)#class-map BLOCKURL
Router(config-cmap)#match protocol http url

http://www.google.com

Router(config)#policy-map BLOCKURLS
Router(config-pmap)#class BLOCKURL
Router(config-pmap-c)#drop

Regards

 

[burtsbees]

If not with NBAR, then extended acl's, with the IP addresses of the domains denied, and all other IP traffic permitted. Put this inbound on the router incoming interface.

Burt

 

[snSentax]

Thanks for your quick reply.

I'm getting command errors when entering these commands in config mode.

Router(Config)#class-map BLOCKURL
                 ^
% Invalid input detected at '^' marker.

Any ideas?

 

[Minue]

Hi
It's seems that your IOS is a limited version.Please post your IOS version,I will check it out on cisco image navigator to see if it supports the MCQ.Did you turn on "ip cef"?If you can't get the new IOS,you can go with the extended access-list.
Regards

 

[snSentax]

Thank you for your reply.

IOS Version: 12.4(4)T7

I registered at Cisco.com and am waiting on an email back from them so I can get additional access to download IOS images and other software from them.

 

[burtsbees]

Post a "sh ver", and Minue or I can check what features the image has.

Burt

 

[Minue]

Hello
That's a recent release,strange that it doesn't support the MCQ.You didn't post the feature set,so I can't run it in the Cisco navigator.
Regards

 

[snSentax]

Hi there, thanks for the reply again.

Here is the "sh ver"

Router#sh ver
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(4)T7, REL
EASE SOFTWARE (fc1)
Technical Support: [URL unfurl="true"]http://www.cisco.com/techsupport[/URL]
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 29-Nov-06 00:37 by kellythw

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Router uptime is 1 week, 3 days, 19 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c850-advsecurityk9-mz.124-4.T7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
[URL unfurl="true"]http://www.cisco.com/wwl/export/crypto/tool/stqrg.html[/URL]

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 851 (MPC8272) processor (revision 0x200) with 59392K/6144K bytes of memory
.
Processor board ID FHK1125104R
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Router#

 

[Minue]

Hello
Sorry to say but the 851 doesn't support NBAR.To lower the cost of this Router it seems that Cisco even cut out the "QOS".Could be wrong though,will need to do more research.
Regards
Ps. go for the extended acsess-lists-

 

[snSentax]

Thanks for the reply.

So any pointers on extended access lists to perform what I need? I'm in the SDM but when I go there I'm not too familiar with all the options and such. I was happy enough to setup NAT successfully.

It is amazing that a nice router like this wouldn't allow me to block simple domain names, I have a netgear $50 at home that has webpage access restrictions and can even setup a schedule to only allow it to be available certain hours of the day.

Its a shame.

 

[Minue]

Oh yes!!It like buying an appliance Sony!You pay more for the features.But there still the best on the market.
First you will have to find the ip addresses to the domains you want to block.Remember some domains have more than one address.In SDM you will have to look for voice access-list I think.Then your "source" is your network.Your destination is the domain (96.96.96.96)
Good luck

 

[snSentax]

Thanks everyone for your help. I'm in negotiation with Cisco right now discussing updating the IOS on this and what needs to be done to get the features I would like. But until then. Here is what I've done and cannot get ACL working to block access to certain IP addresses.

1. Login SDM
2. Click Firewall and ACL
3. CLick Edit Firewall Policy / ACL
4. I have Originating and Returning traffice options
5. I create a new rule and put source "any" and destination to the IP address I want to block on returning traffic.
6. Save and Apply

Am I doing this correctly? Should I be doing it on originating traffic? Any more insight and guidance would be appreciated.

Thanks

 

[burtsbees]

Yes---source is IP you want blocked, and destination is any---this blocks the URL's from coming back into the router. If you wanted to do it the first way, then it would work, if you applied the acl inbound on the LAN interface. Otherwise, block incoming like I said inbound on the WAN interface.

Burt