I recently received an email from a reader asking him how to use Cicso IOS to block a specific website. He wrote: "I have a Cisco 2600 instance, which is usually used as an Internet server. Now I want to block some specific websites. What should I do ?"
This is not a very difficult task-as long as you know how Cisco IOS works. Here I will guide you on how to do this and tell you what you should pay attention to when using this method.
Step 1: configure a DNS server
Suppose we want to block a website named www.badsite.com. We do not know the specific IP address of the website, and we do not want to know. No problem -- Cisco IOS will find the address and fill it in.
To do this, we need to configure at least one DNS server on the router. To configure a DNS server, use the ip name-server command. The following is an example:
Router (config) # ip name-server 1.1.1.1 2.2.2.2
In this example, we have configured a primary DNS server 1.1.1.1 and a backup DNS server 2.2.2.2, so that the router can change the salary of the domain name ?. When we need to Ping a domain name, the router will use these DNS servers. The following is an example:
Router # ping www.techrepublic.com
Translating "www.techrepublic.com"... domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.113.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 MS
Router #
In the preceding example, the vro uses the server address 1.1.1.1 that we specified to resolve the domain name. It successfully resolves the domain name www.techrepublic.com to the corresponding IP Address -- 216.239.113.101.
If we do not specify a DNS server, the router may return the following feedback:
Translating "www.techrepublic.com"... domain server (255.255.255.255)
% Unrecognized host or address, or protocol not running.
Unknown host or address, or the Protocol may not run)
Step 2: Create an ACL
To really block access to a website, we must create an access control list (ACL) to define what we want to block. The following is an example:
Router (config) # access-list 101 deny tcp any host www.badsite.com eq www
Translating "www.badsite.com"... domain server (1.1.1.1) [OK]
Router (config) # access-list 101 permit tcp any eq www
! To allow all other web traffic
This ACL rejects all access to a specific website www.badsite.com. While blocking access to this website, it allows all users to access any other website.
Finally, because of the implicit prohibition of ACL, all other communications except WWW will be disabled.
If you want to know which IP addresses are attempting to access a blocked website, you can use the LOG keyword to record relevant information. The following is an example.
Router (config) # access-list 101 deny tcp any host www.badsite.com eq www log
Step 3: Avoid "omission"
Note one thing. After entering the first line of the above ACL, pay attention to how the vro uses the DNS server to resolve the domain name. Then it will replace the host name in the ACL with the IP address obtained from the DNS domain name. Let's take a closer look at the Configuration:
Router # sh run | inc access-list 101
Access-list 101 deny tcp any host 66.116.109.62 eq www
This is a good function, but it may be caused by several reasons. First, this IP address is only the first IP address in the DNS server response. If this is a large website with multiple servers such as a search engine), and the ACL only contains the first IP address that the DNS first responds to-you will have to manually block the remaining IP addresses. The following is an example:
C: \> nslookup www.google.com
Server: DNSSERVER
Address: 1.1.1.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.167.104, 64.233.167.147, 64.233.167.99
Aliases: www.google.com
Second, if the IP address of the disabled web server is changed, the address in the ACL will not change. You must manually update the ACL.
Step 4: Implement ACL
Creating an ACL does not mean that the router uses it-we must also implement the ACL. Next, suppose we want to create an ACL to prevent the internal lan from accessing a wide area network such as the Internet ). Therefore, we should use the source address of the ACL instead of the target address.
Similarly, for the purpose of design, we need to implement this ACL in the Out direction of the router. The following is an example.
Router (config) # int serial 0/0
Router (config-if) # ip access-group 101 out
Have you used Cisco IOS to block websites? What is your ACL? Do you have a good ACL to share with us? Please leave your comments.