1. Home
  2. Cisco Systems
  3. How to deny an URL instead of an IP address in ACL?

How to deny an URL instead of an IP address in ACL?

Hi NG,

One of my customers router is configured as a EZVPN startpoint. To collect all local subnets to forward into that VPN an ACL is setup.

I'd like to exclude a specific traffic pattern from going over the VPN. Src = one single host of subnet 3 dst = URL

currently its done with the IP of the remote subnet. Due to the fact that the remote address may change i'd like to replace the remote ip subnet by its URL.

Does anyone has an idea how to do that?

---snip--- crypto ipsec client ezvpn US2Europe connect auto group group-g2 key xxxxxxxxxxxxxxxxxxxxxxxxxxxx mode network-extension peer x.x.x.x acl inside_networks flow restrict virtual-interface 1 username snipped-for-privacy@provider.net password xxxxxxxx xauth userid mode local ! ! ip access-list extended inside_networks permit ip 0.0.0.255 any permit ip 0.0.0.255 any ! deny ip host 0.0.0.255 ! permit ip 0.0.15.255 any

---snip---

tnaks for any hints. stephan

Reply to
stephan
Loading thread data ...

ACL's based on IP addresses are quite a bit easier.

You'll want to use the NBAR feature.

Here's a pretty decent tutorial.

formatting link

Reply to
Doug McIntyre

I played in the lab and learned this:

Having a 3560 as a L3-switch and an 1800 router. I compared the ability of both to filter the URL in an ACL. First I used NBAR on the router:

! class-map match-any cm_http-url match protocol http host *zzzzzz.com* ! zzzzz.com = url ! policy-map pm_http-url class cm_http-url set ip dscp 1 !

manipulate. But its easy to recognize an URL with NBAR. I switches over to the L3-switch and did this:

! route-map net-111 permit 10 match ip address 111 set ip next-hop 10.96.240.3 ! route-map net-111 permit 20 ! interface g0/1 ip policy route-map net-111 ! access-list 111 ......

conclusion: both did a good job, but not the thing i wanted. My next christmas-wish is this: a cat-IOS with this >>>commands

Reply to
stephan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.