PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:url-filter:url-filter

URL Filter

Base Configuration

Common Configuration Snippet

R1

ubuntu-0

  • R1
configure terminal
!
!ip inspect name CBAC tcp
!ip inspcet name CBAC udp
ip inspect name CBAC http urlfileter
ip inspect name CBAC https
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny neverssl.com
ip urlfilter exclusive-domain deny neverssl.pg1x.com
ip urlfilter exclusive-domain deny .labs.neverssl.pg1x.com
ip urlfilter exclusive-domain deny gitlab.pg1x.com
!
interface GigabitEthernet 0/0
 ip inspect CBAC in
!
end

Cisco IOS Security Command Reference: Commands D to L - ip source-track through ivrf [Support & Learn] - Cisco

  • ubuntu-0
check-access.sh
#!/usr/bin/env bash
set -x
curl -so /dev/null -w '%{http_code}\n' neverssl.com
curl -so /dev/null -w '%{http_code}\n' www.rtpro.yamaha.co.jp
curl -so /dev/null -w '%{http_code}\n' abehiroshi.la.coocan.jp
curl -so /dev/null -w '%{http_code}\n' example.com
curl -so /dev/null -w '%{http_code}\n' archive.ubuntu.com
curl -so /dev/null -w '%{http_code}\n' neverssl.pg1x.com
curl -so /dev/null -w '%{http_code}\n' www.neverssl.pg1x.com
curl -so /dev/null -w '%{http_code}\n' blog.neverssl.pg1x.com
curl -so /dev/null -w '%{http_code}\n' aaaaaa.labs.neverssl.pg1x.com
curl -so /dev/null -w '%{http_code}\n' bbbbbb.labs.neverssl.pg1x.com
curl -so /dev/null -w '%{http_code}\n' gitlab.pg1x.com
curl -so /dev/null -w '%{http_code}\n' https://gitlab.pg1x.com/explore
set +x
  • without url filter
ubuntu@ubuntu-0:~$ bash check-access.sh 
+ curl -so /dev/null -w '%{http_code}\n' neverssl.com
200
+ curl -so /dev/null -w '%{http_code}\n' www.rtpro.yamaha.co.jp
200
+ curl -so /dev/null -w '%{http_code}\n' abehiroshi.la.coocan.jp
200
+ curl -so /dev/null -w '%{http_code}\n' example.com
200
+ curl -so /dev/null -w '%{http_code}\n' archive.ubuntu.com
200
+ curl -so /dev/null -w '%{http_code}\n' neverssl.pg1x.com
200
+ curl -so /dev/null -w '%{http_code}\n' www.neverssl.pg1x.com
200
+ curl -so /dev/null -w '%{http_code}\n' blog.neverssl.pg1x.com
200
+ curl -so /dev/null -w '%{http_code}\n' aaaaaa.labs.neverssl.pg1x.com
200
+ curl -so /dev/null -w '%{http_code}\n' bbbbbb.labs.neverssl.pg1x.com
200
+ curl -so /dev/null -w '%{http_code}\n' gitlab.pg1x.com
301
+ curl -so /dev/null -w '%{http_code}\n' https://gitlab.pg1x.com/explore
200
+ set +x
  • configure URL filter
ubuntu@ubuntu-0:~$ bash check-access.sh 
+ curl -so /dev/null -w '%{http_code}\n' neverssl.com
403
+ curl -so /dev/null -w '%{http_code}\n' www.rtpro.yamaha.co.jp
200
+ curl -so /dev/null -w '%{http_code}\n' abehiroshi.la.coocan.jp
200
+ curl -so /dev/null -w '%{http_code}\n' example.com
200
+ curl -so /dev/null -w '%{http_code}\n' archive.ubuntu.com
200
+ curl -so /dev/null -w '%{http_code}\n' neverssl.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' www.neverssl.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' blog.neverssl.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' aaaaaa.labs.neverssl.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' bbbbbb.labs.neverssl.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' gitlab.pg1x.com
403
+ curl -so /dev/null -w '%{http_code}\n' https://gitlab.pg1x.com/explore
200
+ set +x
R1#
*Feb 28 06:29:13.884: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1454826552 1454 bytes is out-of-order; expected seq:1454803904. Reason: TCP reassembly queue overflow - session 172.16.2.101:48982 to 54.230.188.51:80
R1#sh
R1#show ur
R1#show urf
R1#show ur;l
R1#show ur  
*Feb 28 06:29:39.240: %FW-4-TCP_OoO_SEG: Deleting session as expected TCP segment with seq:34449508 has not arrived even after 25 seconds - session 172.16.2.101:46802 to 54.230.188.169:80
R1#show urlfi
ubuntu@ubuntu-0:~$ curl -i neverssl.pg1x.com
HTTP/1.1 403 Forbidden
Server: IOS Firewall HTTP/1.1
Content-type: text/html
Connection: close

<html>
<head>
<title>Forbidden</title></head>
<body bgcolor="#ffffff">
<center><h1><font color="#ff0000">HTTP Error 403 - Forbidden</font></h1>
<b>You do not have permission to access the document or program you requested.
</b></center>
</body></html>

References

tech/network/cisco/security/network-security/acl/url-filter/url-filter.txt · Last modified: 2021/02/28 16:06 by wnoguchi