Monday 11 February 2013

Configuring Cisco Router with ADSL Modem (PPPoA / PPPoE) and NAT

This quick guide will show you how to configure a Cisco Router with external ADSL Modem using PPPoA or PPPoE.

Following is the sample configuration using Cisco 2900 with IOS image version 15.0(1r). Even though the example uses 2900 router, the configuration applies to 800, 1900, & 3900 Router.

Network Diagram


Configuration

LAN interface:

Configure your LAN interface with a static IP address.

int gi0/0
 description ADSL-LAN Interface
 ip address 172.16.0.1 255.255.0.0
 ip nat inside
 no shutdown

WAN interface:

Configure PPPoE client on your WAN Interface:

int gi0/1
 description ADSL-WAN Interface
 pppoe-client dial-pool-number 1
 no shutdown

Dialer interface:

Configure a dialer interface as follows:

int Dialer0
 encapsulation ppp
 dialer pool 1
 ip address negotiated
 ppp chap hostname YOUR_CHAP_LOGIN
 ppp chap password YOUR_CHAP_PASSWORD
 ip mtu 1492
 ip tcp adjust-mss 1452
 ip nat outside

NAT Configuration:

access-list 10 permit 172.16.0.0 0.0.255.255
ip nat inside source list 10 int dialer0 overload

Routing Configuration:

Put a static route for internet:

ip route 0.0.0.0 0.0.0.0 dialer0

Friday 8 February 2013

How to Install Zimbra 8.0.2 on Ubuntu 12.04 LTS

Introduction

VMware Zimbra is an enterprise class email, calendar and collaboration suite designed for the cloud, both private and public. The flexibility, scalability and stability of Zimbra make it as a complete email solution that can be deployed in any environment either small or large. Zimbra email server can be accessed from the Zimbra Web Client, Zimbra Desktop offline client, Outlook and a variety of other standards-based email clients and mobile devices.
The three editions of Zimbra are:

1. ZCS Network Edition
2. ZCS hosted email by a Zimbra partner
3. ZCS Open Source Edition (free)

Components included with Zimbra Collaboration Server 8.0.2
  • Postfix - Free Mail Transfer Agent
  • MySQL - Database sofware
  • OpenLDAP - LDAP for User authentication
  • Jetty - Web application server
  • Lucene  - Test and search engine
  • ClamAV  - Antivirus scanner
  • SpamAssassin - Anti-spam software
  • Amavis (amavisd-new) - Content checker
  • Aspell - Spell checker
  • James/Sieve - Email filter

Installation of Zimbra 8.0.2 Open Source Edition on Ubuntu 12.04 LTS

System Requirements

Refer the link https://www.zimbra.com/docs/os/8.0.0/multi_server_install/wwhelp/wwhimpl/common/html/wwhelp.htm#href=ZCS_Multiserver_Open_8.0.System_Requirements_for_VMware_Zimbra_Collaboration_Server_8.0.html&single=true 

Assumptions

The configuration is based on the following assumptions:

Ubuntu server IP - 192.168.1.100
Ubuntu Server FQDN - mail.mydomain.com
DNS Server IP - 192.168.1.10 (Internal Windows DNS server) , 8.8.8.8
Gateway IP - 192.168.1.1
Domain name - mydomain.com

A.) Preparing Ubuntu for Zimbra Installation

1. Install Ubuntu 12.04 LTS on your server (Include openssh-server during package selection)

2. Login as root user.

3. Update and upgrade Ubuntu

    #apt-get update
    #apt-get upgrade

4. Set a static IP for the server

#vi /etc/network/interfaces

auth eth0
iface eth0 inet static
address 192.168.1.100
gateway 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
dns-nameservers 192.168.1.10 8.8.8.8
 :wq!

Now restart networking to make the change effective: /etc/init.d/networking restart

5. Set a hostname for the server. Latter this will become the name of your Zimbra email server.

#vim  /etc/hostname

mail.mydomain.com

:wq!

6. DNS Configuration:

You can either use BIND or your internal DNS server (eg: Windows DNS server).
Here you can find the configuration of both. In this example I used my Internal Windows DNS server to create A record and MX record.

a.) For BIND configuration follow the below steps:

i. Install BIND9 : # sudo apt-get install bind9
ii. Edit the file : # vi /etc/bind/named.conf
    and remove '//' from forwarders and add DNS server IP address like below:
 
forwarders {
              8.8.8.8;
         };


And add the below lines and save the file:

 zone "mail.mydomain.com" {
          type master;
          file "file.mail.mydomain.com";
};



Now create a file "file.mail.mydomain.com" in /var/cache/bind/ directory and add the following inside the file:

$ttl 38400
@    IN    SOA    mail.mydomain.com.    mail.mydomain.com. (
                                                                    2011091202
                                                                   10800
                                                                   3600
                                                                   604800
                                                                   38400 )
       IN    NS       ns.mail.mydomain.com
       IN    A         192.168.1.100
       IN    MX     10 mail.mydomain.com


@     A    192.168.1.100
ns     A    192.168.1.100

mail  A   192.168.1.100 


Then edit /etc/resolv.conf and change nameserver to 192.168.1.100

Now restart BIND9 services: # /etc/init.d/bind9 restart

For more info visit http://blog.zimbra.com/blog/archives/2007/06/making-zimbra-bind-work-together.html and http://wiki.zimbra.com/wiki/Split_dns

b.) If it is a Windows DNS Server:

>Edit  /etc/resolv.conf  and provide the IP address of your Windows DNS server.

nameserver 192.168.1.10
 
>Create forward lookup zone (mydomain.com) and add the below records:

Forward lookup zone name<-> mydomain.com

 A record <->  mail  <-> 192.168.1.100

 MX record <->  mail <-> mail.mydomain.com  <-> priority 10

Now verify the dns configuration using the code #dig mail.mydomain.com mx (in this example I used windows DNS server)

; <<>> DiG 9.8.1-P1 <<>> mail.mydomain.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 37752="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.mydomain.com.                 IN      MX

;; ANSWER SECTION:
mail.mydomain.com.         3600    IN      MX      10 mail.mydomain.com.

;; ADDITIONAL SECTION:
mail.mydomain.com          3600    IN      A       192.168.1.100

;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Thu Feb  4 20:57:38 2013
;; MSG SIZE  rcvd: 63
 
7. Firewall Configuration (Optional)

Zimbra recommends us to install ZCS on a sytem without a firewall. If required you can configure a firewall in your Ubuntu 12.04 LTS. For more info refer the documents: http://wiki.zimbra.com/wiki/Firewall_Configuration
https://help.ubuntu.com/community/IptablesHowTo#Disabling%20the%20firewall  

8. Installing  prerequisites:

You have to install the below packages before installing ZCS 8.0.2

#apt-get install netcat-traditional

#apt-get install libperl5.14

#apt-get install libidn11-dev

#apt-get install libgmp3c2  sysstat  sqlite3

9. Disable & remove Apparmour

#sudo /etc/init.d/apparmour stop
#sudo /etc/init.d/apparmor teardown
#sudo update-rc.d -f apparmor remove

B.) Installing Zimbra

10. Download Zimbra collaboration suite 8.0.2 from Zimbra website :

#wget http://files2.zimbra.com/downloads/8.0.2_GA/zcs-8.0.2_GA_5569.UBUNTU12_64.20121210115059.tgz

11. Unpack the downloaded zimbra package:

#tar -zxvf zcs-8.0.2_GA_5569.UBUNTU12_64.20121210115059.tgz

12. Go the zimbra package and install it.

#cd zcs-8.0.2_GA_5569.UBUNTU12_64.20121210115059

#./install.sh

Operations logged to /tmp/install.log.1431
Checking for existing installation...
    zimbra-ldap...NOT FOUND
    zimbra-logger...NOT FOUND
    zimbra-mta...NOT FOUND
    zimbra-snmp...NOT FOUND
    zimbra-store...NOT FOUND
    zimbra-apache...NOT FOUND
    zimbra-spell...NOT FOUND
    zimbra-convertd...NOT FOUND
    zimbra-memcached...NOT FOUND
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-cluster...NOT FOUND
    zimbra-core...NOT FOUND


PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for the Zimbra Collaboration Suite:
  http://www.zimbra.com/license/zimbra_public_eula_2.1.html

Do you agree with the terms of the software license agreement? [N] Y

Oracle Binary Code License Agreement for the Java SE Platform Products

ORACLE  AMERICA, INC. ("ORACLE"), FOR AND ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES UNDER COMMON CONTROL, IS WILLING TO  LICENSE  THE SOFTWARE  TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS  CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL  LICENSE TERMS (COLLECTIVELY "AGREEMENT").  PLEASE READ THE AGREEMENT  CAREFULLY.  BY SELECTING THE "ACCEPT LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND/OR BY USING THE SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS AND AGREE TO THEM.  IF YOU ARE AGREEING TO THESE TERMS ON BEHALF OF A  COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE LEGAL  AUTHORITY TO BIND THE LEGAL ENTITY TO THESE TERMS.  IF YOU DO NOT HAVE SUCH  AUTHORITY, OR IF YOU DO NOT WISH TO BE BOUND BY THE TERMS, THEN SELECT THE "DECLINE LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND YOU MUST NOT USE THE SOFTWARE ON THIS SITE OR ANY OTHER MEDIA ON WHICH THE SOFTWARE IS CONTAINED.

I.  THIRD PARTY CODE.  Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME file accessible at http://www.oracle.com/technetwork/java/javase/documentation/index.html.  In addition to any terms and conditions of any third party opensource/freeware license identified in the  THIRDPARTYLICENSEREADME file, the disclaimer of warranty and limitation of liability  provisions in  paragraphs 4 and 5 of the Binary Code License Agreement shall apply to all Software in this distribution.

J.  TERMINATION FOR INFRINGEMENT.  Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right.

K.  INSTALLATION AND AUTO-UPDATE.  The Software's installation and auto-update processes transmit a limited amount of data to Oracle (or its service  provider) about those specific processes to help Oracle understand and optimize them.  Oracle does not associate the data with personally  identifiable  information.  You can find more  information about the data Oracle collects as a result of your Software download at http://www.oracle.com/technetwork/java/javase/documentation/index.html.

For inquiries please contact:  Oracle America, Inc., 500 Oracle Parkway,
Redwood Shores, California 94065, USA.

Last updated May 17, 2011

Do you agree with the terms of the software license agreement? [N] Y

Checking for prerequisites...
     FOUND: NPTL
     FOUND: netcat-openbsd-1.89-4ubuntu1
     FOUND: sudo-1.8.3p1-1ubuntu3.3
     FOUND: libidn11-1.23-2
     FOUND: libpcre3-8.12-4
     FOUND: libgmp3c2-2:4.3.2+dfsg-2ubuntu1
     FOUND: libexpat1-2.0.1-7.2ubuntu1.1
     FOUND: libstdc++6-4.6.3-1ubuntu5
     FOUND: libperl5.14-5.14.2-6ubuntu2.2

Checking for suggested prerequisites...
     FOUND: perl-5.14.2
     FOUND: sysstat
     FOUND: sqlite3
Prerequisite check complete.

Checking for installable packages

Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy


Select the packages to install

Install zimbra-ldap [Y] Y

Install zimbra-logger [Y] Y

Install zimbra-mta [Y] Y

Install zimbra-snmp [Y] Y

Install zimbra-store [Y] Y

Install zimbra-apache [Y] Y

Install zimbra-spell [Y] Y

Install zimbra-memcached [N] N

Install zimbra-proxy [N] N

Checking required space for zimbra-core
Checking space for zimbra-store

Installing:
    zimbra-core
    zimbra-ldap
    zimbra-logger
    zimbra-mta
    zimbra-snmp
    zimbra-store
    zimbra-apache
    zimbra-spell

The system will be modified.  Continue? [N] Y

Removing /opt/zimbra
Removing zimbra crontab entry...done.
Cleaning up zimbra init scripts...done.
Cleaning up /etc/ld.so.conf...done.
Cleaning up /etc/security/limits.conf...done.

Finished removing Zimbra Collaboration Server.

Installing packages

    zimbra-core......zimbra-core_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-ldap......zimbra-ldap_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-logger......zimbra-logger_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-mta......zimbra-mta_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-snmp......zimbra-snmp_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-store......zimbra-store_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-apache......zimbra-apache_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
    zimbra-spell......zimbra-spell_8.0.2.GA.5434.UBUNTU12.64_amd64.deb...done
Operations logged to /tmp/zmsetup.01222013-154036.log
Installing LDAP configuration database...done.
Setting defaults...     MX: mail.mydomain.com (192.168.1.100)

        Interface: 192.168.1.100
        Interface: 127.0.0.1
        Interface: ::1
                192.168.1.100
done.
Checking for port conflicts

Main menu

   1) Common Configuration:
   2) zimbra-ldap:                             Enabled
   3) zimbra-store:                            Enabled
        +Create Admin User:                     yes
        +Admin user to create:                   admin@mail.mydomain.com
******* +Admin Password                  UNSET
        +Anti-virus quarantine user:            virus-quarantine.wn6wiltei@mail.mydomain.com
        +Enable automated spam training:   yes
        +Spam training user:                       spam.6rcnxbksez@mail.mydomain.com
        +Non-spam(Ham) training user:      ham.s6vyicipjc@mail.mydomain.com
        +SMTP host:                                  mail.mydomain.com
        +Web server HTTP port:                 80
        +Web server HTTPS port:              443
        +Web server mode:                        https
        +IMAP server port:                        143
        +IMAP server SSL port:                 993
        +POP server port:                           110
        +POP server SSL port:                   995
        +Use spell check server:                  yes
        +Spell server URL:                     http://mail.mydomain.com:7780/aspell.php
        +Configure for use with mail proxy:    FALSE
        +Configure for use with web proxy:    FALSE
        +Enable version update checks:         TRUE
        +Enable version update notifications:  TRUE
        +Version update notification email:    admin@mail.mydomain.com
        +Version update source email:          admin@mail.mydomain.com

   4) zimbra-mta:                              Enabled
   5) zimbra-snmp:                           Enabled
   6) zimbra-logger:                          Enabled
   7) zimbra-spell:                            Enabled
   8) Default Class of Service Configuration:
   r) Start servers after configuration        yes
   s) Save config to file
   x) Expand menu
   q) Quit

Address unconfigured (**) items  (? - help)

Enter number 3 to configure Admin password.  Set a new password and put r to return and a to apply the configuration.

Select, or 'r' for previous menu [r] r

Main menu

   1) Common Configuration:
   2) zimbra-ldap:                             Enabled
   3) zimbra-store:                            Enabled
   4) zimbra-mta:                              Enabled
   5) zimbra-snmp:                            Enabled
   6) zimbra-logger:                           Enabled
   7) zimbra-spell:                             Enabled
   8) Default Class of Service Configuration:
   r) Start servers after configuration        yes
   s) Save config to file
   x) Expand menu
   q) Quit


*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes] Y
Save config in file: [/opt/zimbra/config.7774]
The system will be modified - continue? [No] Y
Operations logged to /tmp/zmsetup.01222013-154036.log
Setting local config values...
done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating SSL zimbra-store certificate...done.
Creating new zimbra-ldap SSL certificate...done.
Creating new zimbra-mta SSL certificate...done.
Installing mailboxd SSL certificates...done.
Installing MTA SSL certificates...done.
Installing LDAP SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Creating server entry for mail.mydomain.com...done.
Setting Zimbra IP Mode...done.
Saving CA in ldap ...done.
Saving SSL Certificate in ldap ...done.
Setting spell check URL...done.
Setting service ports on mail.mydomain.com...done.
Adding mail.mydomain.com to zimbraMailHostPool in default COS...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=FALSE...done.
Setting MTA auth host...done.
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on mail.mydomain.com...done.
Creating domain mail.mydomain.com...done.
Setting default domain name...done.
Creating domain mail.mydomain.com...already exists.
Creating admin account admin@mail.mydomain.com...done.
Creating root alias...done.
Creating postmaster alias...done.
Creating user spam.6rcnxbksez@mail.mydomain.com...done.
Creating user ham.s6vyicipjc@mail.mydomain.com...done.
Creating user virus-quarantine.wn6wiltei@mail.mydomain.com...done.
Setting spam training and Anti-virus quarantine accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for mail.mydomain.com...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done.
Installing common zimlets...
        com_zimbra_proxy_config...done.
        com_zimbra_clientuploader...done.
        com_zimbra_srchhighlighter...done.
        com_zimbra_adminversioncheck...done.
        com_zimbra_attachmail...done.
        com_zimbra_date...done.
        com_zimbra_url...done.
        com_zimbra_tooltip...done.
        com_zimbra_ymemoticons...done.
        com_zimbra_webex...done.
        com_zimbra_attachcontacts...done.
        com_zimbra_bulkprovision...done.
        com_zimbra_cert_manager...done.
        com_zimbra_phone...done.
        com_zimbra_email...done.
Finished installing common zimlets.
Restarting mailboxd...done.
Creating galsync account for default domain...done.

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
        The VERSION of zcs installed (8.0.2_GA_5434_UBUNTU12_64)
        The ADMIN EMAIL ADDRESS created (admin@mail.mydomain.com)

Notify Zimbra of your installation? [Yes] A Yes/No answer is required

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
        The VERSION of zcs installed (8.0.2_GA_5434_UBUNTU12_64)
        The ADMIN EMAIL ADDRESS created (admin@mail.mydomain.com)

Notify Zimbra of your installation? [Yes] Yes
Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=8.0.2_GA_5434_UBUNTU12_64&MAIL=admin@mail.mydomain.com

Notification complete

Setting up zimbra crontab...done.

Moving /tmp/zmsetup.01222013-154036.log to /opt/zimbra/log

Configuration complete - press return to exit

12. Check the Zimbra server status:

#su zimbra

#zmcontrol status

Host mail.mydomain.com
        antispam              Running
        antivirus               Running
        ldap                     Running
        logger                  Running
        mailbox                Running
        mta                      Running
        snmp                    Running
        spell                     Running
        stats                     Running
        zmconfigd             Running

13. Now access the Zimbra admin console using https://192.168.1.100:7071

















There we finish the installation of Zimbra Collaboration suite 8.0.2 on Ubuntu 12.04 LTS !

Useful Links

1. Ubuntu Server download page -http://www.ubuntu.com/download/server
2. Zimbra Open source edition download page - http://www.zimbra.com/downloads/os-downloads.html
3. Ubuntu 12.04 LTS Documentation - https://help.ubuntu.com/12.04/index.html
4. Zimbra Collaboration Server 8.0 Open Source Edition Documentation - http://www.zimbra.com/community/documentation.html
5. Zimbra Collaboration Server 8.0 Admin guide (Must-Read guide) - http://files.zimbra.com/website/docs/8.0/Zimbra_OS_Admin_Guide_8.0.2.pdf
6. ZCS Install guide on Ubuntu 8.04 LTS - http://wiki.zimbra.com/wiki/Ubuntu_8.04_LTS_Server_%28Hardy_Heron%29_Install_Guide
7. Zimbra Desktop User Guide - http://www.zimbra.com/desktop7/help/en_US/Zimbra_Mail_Help.htm#Getting_Started/Zimbra_User_Help.htm
8. Advantages of Zimbra - http://web-hosting-talks.blogspot.in/2012/11/why-does-business-need-zimbra.html

Have a question ? Ask here or visit official Zimbra forum http://www.zimbra.com/forums/forum.php

Monday 4 February 2013

Cisco IOS Local Content Filtering

Introduction

The Cisco IOS content filtering feature allows us to block, log or allow http requests going through the router. It is an excellent feature where we can categorize (social networking, pornography etc. ) and filter the traffic thereby increasing the overall employee productivity and improve the network security by blocking adware, malware, spyware and Phishing sites. Cisco enabled this feature from IOS release 12.04(20)T

Content filtering can be configured  in two different ways on an IOS router. They are:

1. Local Content Filtering : A local database of Black and White list on the router.
2. Subscription based Content Filtering : Router will communicate with an external Content filtering server (Trend Micro, Websense and Smartfilter). You need to purchase a valid license from the vendor to do this.

[Note: Content filtering cannot work on https traffic.]
  • This document will show how to configure a local content filtering on a Cisco IOS Router.
The content filtering works in such a way that when the end user request a URL, it checks with the content filtering services configured on the router to decide whether to permit or deny the URL. The local content filtering contain a limited functionality compared with Trend Micro content filtering services where the local database support only 100 black and white lists.


Prerequisites
  1. This configuration requires a Zone Based Firewall deployed on your router. For more info visit http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html
  2. Cisco IOS release 12.4(15)XZ or above.
  3. The Cisco IOS Advanced IP Services or Advanced Security image is required.
  4. For more info visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_qas0900aecd804abb06.html 
Configuration Tasks
  1. Parameter map configuration to define patterns.
  2. Class-map configuration to define URL filtering classes.
  3. Policy-map configuration to allow or reset the classes.
  4. Apply policy-map configuration as a child object Zone-Based firewall security policy.
1. Configuring parameter map of type inspect to define patterns.

parameter-map type urlf-glob FACEBOOK
 pattern facebook.com
 pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
 pattern youtube.com
 pattern *.youtube.com

parameter-map type urlf-glob  PERMITTEDSITES
 pattern *

2. Class map configuration to define URL filtering classes

class-map type urlfilter match-any BLOCKEDSITES
 match  server-domain urlf-glob FACEBOOK
 match  server-domain urlf-glob YOUTUBE

class-map type urlfilter match-any PERMITTEDSITES
 match  server-domain urlf-glob PERMITTEDSITES

3. Policy map configuration

policy-map type inspect urlfilter CONTENT-FILTERING
 class type urlfilter BLOCKEDSITES
  log
  reset
 class type urlfilter PERMITTEDSITES
  allow

4. Apply policy-map configuration in Zone-Based firewall security policy.

You have to apply the URL filtering policy as a child policy (with the service-policy urlfilter command) of a zone-based firewall class which matches http traffic.

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect HTTP-ACCESS
  inspect
  service-policy urlfilter CONTENT-FILTERING

There we finish the local content filtering configuration on a Cisco IOS router. Now try to connect the blocked website and see the result.


Verification and Troubleshooting

You can use the below commands for verification and troubleshooting.
  • show class-map type urlfilter
  • show policy-map type inspect urlfilter
  • show parameter-map type urlf-glob
Also you can monitor the blocked sites in your router logs. Below is an example for the same:


For more information about IOS content filtering using Trend Micro services visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html