Use Cisco IOS to block access to a specific website

This document describes how to block access to a specific website. Taking Cisco Route 2600 as an example, we will provide detailed instructions.

There is a Cisco 2600 server, which is usually used as an Internet server. What should I do if I want to block certain websites?

This is not a difficult task-as long as you know how Cisco IOS works. Here we will guide you through this and tell you what you should pay attention to in this way.

Step 1: Configure DNS servers

Suppose we want to block a website named www.itmop.com. We do not know the specific IP address of the website, and we do not want to know. No problem -- Cisco IOS finds the address and fills it in.

To do this, we need to configure at least one DNS server on the router. To configure a DNS server, run the ip name-server command. The following example:

Router (config) # ip name-server 1.1.1.1 2.2.2.2

In this example, we configure a primary DNS server 1.1.1.1 and a secondary DNS server 2.2.2.2 so that the router can resolve the domain name. This will not affect any traffic on the vro. When we need to Ping a domain name, the router will use these DNS servers. The following is an example:

Router # ping www.techrepublic.com

Translating "www.techrepublic.com"... do main server (1.1.1.1) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 216.239.113.101, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 MS

Router #

In the preceding example, the vro uses the server address 1.1.1.1 that we specified to resolve the domain name. It successfully resolves the domain name www.techrepublic.com to the corresponding IP Address -- 216.239.113.101.

If we do not specify a DNS server, the router may return the following feedback:

Translating "www.techrepublic.com"... do main server (255.255.255.255)

% Unrecognized host or address, or protocol not running.

Do not know the host or address, or the Protocol may not run)

Step 2: Create an ACL

To really block access to a website, we must create an access control list (ACL) to define what we want to block. The following is an example:

Router (config) # access-list 101 deny tcp any hostwww.itmop.com eq www

Translating "www.itmop.com"... do main server (1.1.1.1) [OK]

Router (config) # access-list 101 permit tcp any eq www

! To allow all other web traffic

This ACL rejects all access to a specific website www.itmop.com. When blocking access to the website, it allows all users to access any other website.

Finally, due to the implicit prohibition of ACL, all communications except WWW will be disabled.

If you want to know which IP addresses are trying to access the blocked website, you can record the relevant information by making the LOG keyword. The following is an example.

Router (config) # access-list 101 deny tcp any host www.itmop.com eq www log

Step 3: Avoid "omission"

Note one thing. After entering the first line of the ACL, pay attention to how the router uses the DNS server to resolve the domain name. Then it replaces the ACL host name with the IP address obtained from the DNS domain name. Let's take a closer look at the Configuration:

Router # sh run | inc access-list 101

Access-list 101 deny tcp any host 66.116.109.62 eq www

This is a good function, but it may be caused by several reasons. First, this IP address is only the first IP address in the DNS server response. If this large website has multiple servers, such as a search engine, and the ACL only contains the first IP address that the DNS first responds to-you have to manually block the remaining IP addresses. The following is an example:

C:> nslookup www.google.com

Server: DNSSERVER

Address: 1.1.1.1

Non-authoritative answer:

Name: www.l.google.com

Addresses: 64.233.167.104, 64.233.167.147, 64.233.167.99

Aliases: www.google.com

Second, if the IP address of the disabled web server is changed, the address in the ACL will not change. You must manually update the ACL.

Step 4: Implement ACL

Creating an ACL does not mean that the router uses it-we must also implement the ACL. Next, let's create an ACL to prevent the internal lan from accessing an external Wan, such as the Internet ). Therefore, we should use the source address of the ACL instead of the target address.

Similarly, for the purpose of design, we need to implement this ACL in the Out direction of the router. The following is an example:

Router (config) # int serial 0/0

Router (config-if) # ip access-group 101 out

Okay, you're done!