c831 soho url filter help!

itdaddy

Hey gurus

I have a SOHO c831 router. I like it and I can use SDM to practice on. but I am trying
to implement the URL filter. So I put an domain name in the url filter such as
www.badsiteformyson.com and apply the filter and all it blocks all websites.
WTF am I doing wrong I have been wracking my head. Someone help this itdummy
thanks
any suggestions and what am I doing wrong? looks simple but do I need a permit any any
at the end like a ACL?

LBC90805

I think it is Operator Error or perhaps ID10T Error. Just kidding of course.

Post the running config to see if we can help.

laidbackfreak

your on the right track itDaddy..... beena few eyars since i used soho....

but there is an implicit deny at the end... so you need at least 1 permit statement to pass traffic through....

hth

LBC90805

Yup, but wouldn't the SDM add that to the end of the config?

itdaddy

LBC90805

yeah I remember that error ID10T error ahaha that is a funny one!

laidbackfreak

thanks that was my guess since in the CLI it looks like okay acts like a ACL and I was just taking a guess...will look into it and post config here. I was so happy to get this SOHO
so I can use th URL filter for my son (hee hee) Dad, why can't I get this site and that site.
I say hummmmm must be blocked some how hahaahhah!

but yeah, I am using it to do a bunch of things you dude might be interested in.

1. I plan on setting up a VPN/IPSEC to my home from anywhere.
2. use the URL filter
3. practice SDM stuff
4. practice firewall stuff CLI too!
5. IPV6 tunnel to INTERNET 2.this is going to be the fun one. I have been doing some reading and met a IPv6 broker who gave me some tunneling commands to tunnel to IPV6..and since I am a geek..man this is what we live for right! yeah

so I will get back with you on the permit any any url line and see if I can find some documenation on it. and get back which ya! THANK ALL OF YOU!

tech-airman

itdaddy wrote:

Hey gurus

I have a SOHO c831 router. I like it and I can use SDM to practice on. but I am trying
to implement the URL filter. So I put an domain name in the url filter such as
www.badsiteformyson.com and apply the filter and all it blocks all websites.
WTF am I doing wrong I have been wracking my head. Someone help this itdummy
thanks
any suggestions and what am I doing wrong? looks simple but do I need a permit any any
at the end like a ACL?

itdaddy,

As far as Security with respect to ACLs, there's two basic philosophies:

1. Permit all, except
2. Deny all, except

Since ACLs are known to have an implicit "Deny any any" at the bottom, by default the security philosophy is of the second type. So based on the presented information, this seems to be a pseudo-ACL as I understand it:

1. Deny www.badsiteformyson.com
2. {implicit deny any any}

As you can see, there's not a single permit statement so that LEGITIMATE traffic may go out. So in order for you to convert from security philosophy 2 to security philosophy 1, you need to insert a "permit any any" statement into the ACL near the bottom to override the implicit "deny any any" statement. The good thing about this option is that now other sites should be available to be contacted. The bad thing is that now you've opened up an entire game of "ACL whack a mole" where you'd have to add statements to your ACL as more problems come up, for example www.notsafeformyson2.com, www.notsafeformyson3.com, and www.notsafeformyson4.com, and so on.

I hope this helps.

itdaddy

you to convert from security philosophy 2 to security philosophy 1, you need to insert a "permit any any" statement into the ACL near the bottom to override the implicit "deny any any" statement. The good thing about this option is that now other sites should be available to be contacted. The bad thing is that now you've opened up an entire game of "ACL whack a mole" where you'd have to add statements to your ACL as more problems come up, for example www.notsafeformyson2.com, www.notsafeformyson3.com, and www.notsafeformyson4.com, and so on

Tech-airman! haahhah you killl me man! whack a mole!" I can see that mole toooo! hahahah
yeah, you know some dads try to keep some bad sites away while they are young...keep the temptation away..I am not against beauty just too much beauty! whack whack ifyoui knwo what I mean. thanks a lot; yeah, if you can find the exact line statement. i am doing a google and hard to find urlfilter permit any any but still looking..makes total sense!

itdaddy

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_white_paper0900aecd804abb11.html

tech-armain found it! this looks good what we were chatting about. thanks

robert
it looks like a nice workup of SDM/Urlfiltering from cisco

itdaddy

ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny www.badsite4mysonblocked.com
ip urlfilter exclusive-domain permit *
ip urlfilter audit-trail
ip urlfilter urlf-server-log
ip ids po max-events 100
ip ssh version 2
ipv6 unicast-routing
no ftp-server write-enable

laidbackfreak and tech-airman,

here is a snippet of my config on my c831 SOHO urlfilter and when I added the permit *
all traffice allowed by bad site for my son.haahah it works perfect..thanks a lot for
holding my hand..kind of had an idea but wasnt completly sure..but got it working perfect
thanks to your guidance ..thanks