Configure Cisco IOS URL Filtering on a Router with Security Device Manager
Introduction      Requirements      Configure Cisco IOS URL Filtering on a Router           Configure Cisco IOS URL Filtering           Configure Local URL List           Configure a URL Filtering Server      Next Step      Troubleshoot the Procedure      Related Information	Download PDF   Configure Cisco IOS URL Filtering on a Router with Security Device Manager

Introduction

Cisco IOS URL Filtering provides a way to permit or block specific Websites based on policies defined within Cisco IOS Software. This document explains how to configure Cisco IOS URL Filtering on your router with SDM and it applies to 1800, 2800 and 3800 series Cisco routers. Legacy platforms are also supported.

Back to Top

Requirements

To perform the steps described in this document, you need to have these items:

• Router which runs Cisco IOS Software Advanced Security images, supporting the K9 bundle on 1800, 2800, and 3800 Series routers

• Cisco® Router and Security Device Manager (SDM) 2.3 version

• You must have completed Configure Your Router with Security Device Manager

• Complete the LAN Addressing Worksheet from the Site Survey

Back to Top

Configure Cisco IOS URL Filtering on a Router

Cisco IOS URL Filtering provides an easy and inexpensive way to filter URLs based on corporate policies without the need for any external filtering servers. URL filtering allows you to control the access to Internet websites by permitting or denying access to specific websites based on the information contained in an URL list.

Configure Cisco IOS URL Filtering

Follow these steps to Configure Cisco IOS URL Filtering:

1. Open a web browser and the field L6A of the LAN Addressing Worksheet. Press Enter to launch SDM. For more information on how to launch, type http:// router-IP-address in the Address field. Use the IP address that you entered in SDM, refer to Configure your Router with Security Device Manager.

   Note: This document uses examples from SDM version 2.3. Other versions of SDM displays different output.

2. Click Configure.

   

3. Click the Firewall and ACL tab.

   

4. Choose Basic Firewall and click Launch the Selected Task.

   

5. On the Basic Firewall Configuration Wizard, click Next.

   

6. On the Basic Firewall Interface Configuration screen, select the interfaces: FastEthernet0 as the outside (untrusted) interface and Default Vlan 20 as the inside (trusted) interface and click Next.

   

7. In the Warning message window, click OK.

   

8. The Basic Firewall Security Configuration wizard provides preconfigured application security policies. Set the slider to Medium Security and click Next.

   

9. On the Basic Firewall Domain Name Server Configuration screen, check Enable DNS based hostname to address translation and enter the IP address of the primary server from the field L4 and L5 of the LAN Addressing Worksheet and click Next.

   

10. On the Internet Firewall Configuration Summary screen, click Finish.

    

11. In the Commands Delivery Status window, click OK.

    

12. In the Information window, click OK. Next, you are directed to the Edit Firewall Policy/ACL tab next to the Firewall and ACL section.

    

Configure Local URL List

If the Cisco IOS image on the router supports URL filtering but does not support Zone-based Policy Firewall (ZPF), you can maintain one local URL list on the router. This list is used by all Application Security policies in which the URL filtering is enabled.

Note: Cisco IOS images of release 12.4(9)T and later support all the ZPF features that SDM supports. In a ZPF configuration, a local URL list can be created for each URL filtering parameter map. Contact the SMB Technical Assistance Center (SMB TAC) for further assistance.

Follow these steps to configure Local URL List:

1. On the Firewall and ACL screen, click Application Security.

   

2. Next to Application Security settings, click URL Filtering.

   

3. Check the box Enable URL Filtering. The Add URL... button is activated. Click Add URL tab.

   

4. In the Add Local URL window, enter a complete domain name such as www.cisco.com. Select Permit and click OK. All HTTP traffic destined to this domain are permitted.

   

5. Click Add URL again to block websites you want; the Add Local URL dialog appears again. This time, enter a partial domain name such as .yahoo.com and select Deny. Click OK. All HTTP traffic destined to the URLs whose domain names end with this partial domain name, such as mail.yahoo.com and smallbusiness.yahoo.com, are denied (blocked).

   

6. Click Apply Changes at the bottom of the screen.

   

   Note: In some cases, users maintain a list of URLs they want to allow or disallow access. Use the Import URL List button at the top corner of the screen to import such a URL list from your PC to the router. The URL list that you select must have a .txt or .csv extension.

7. In the Warning message window, click OK.

   

8. In the Commands Delivery Status window, click OK.

   

9. Click Save.

   

Configure a URL Filtering Server

The router can send HTTP requests to third party URL filtering servers such as Websense, N2H2, or SmartFiltering that are capable to store much larger URL lists than the router can store. If the router is configured with a URL filter server list, the router sends requests that do not match entries in the local list to the URL filter server it has a connection to, and permits or denies the request based on the response it receives from the server.

Note: Cisco IOS images of release 12.4(9)T and later support all the ZPF features that SDM supports. In a ZPF configuration, a local URL list can be created for each URL filtering parameter map. You can use Cisco SDM to create list entries and you can import entries from a list stored on your PC. When a local URL list is used in combination with URL filter servers, local entries are used first.

Follow these steps to configure a URL Filtering Server:

1. Next to Application Security tab, expand URL Filtering and click URL Filter Servers.

   

2. In the URL Filter Server window, click Add and select the Add Websense.

   

3. In the Add Websense Server window, make these changes to defaults:

   1. Next to IP address/Hostname filed enter the IP Address of the Websense server. For the IP address use the Secure Server network IP address that you entered in field L6C of the Secure Server VLAN Addressing Worksheet.

   2. For "Direction", choose inside if the URL filter server is part of the inside network. This is usually one of the networks that the router LAN interfaces connect to. Choose outside if the router is in the outside network. This is usually one of the networks that the router WAN interfaces connect to. In our example, inside is entered.

   3. Leave the rest to the default and click OK.

   

4. Click Apply Changes.

   

5. Click Save.

   

Back to Top

Next Step

You have now configured URL Filtering on your router.

To make further changes to your router, refer to the Router Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Set Up Internet Security on a Cisco Router.
• Configure Your Router with Security Device Manager
• Site Survey
• Configure an IP Address on Your PC