Re: Filtering using NBAR

From: Richard Foltz (ccie2b@xxxxxxxxxx)
Date: Tue Dec 04 2001 - 22:35:03 GMT-3

• Next message: Liu Jianxin-qch1927: "RE: Backup Interface using Dialer Profile Problem"
• Previous message: Albert Lu: "RE: OSPF / IGRP update drop"
• Maybe in reply to: Frank Kim: "Filtering using NBAR"
• Next in thread: Tim Szigeti: "RE: Filtering using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
well, try putting the policy map on the inbound connection from the
Internet, like the serial interface to your ISP. im assuming of course that
its not the fastethernet0/0/0. then make the access-list outbouund on the
fastethernet interface. This way, packets get examined and marked as they
come in from the Internet, and dropped as they leave the router.

Richard Foltz, CCIE#8339, CCNP-Voice, CCDP, MCSE+I, Network+, A+

----- Original Message -----
From: "Frank Kim" <frank@comegetus.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, December 04, 2001 6:22 PM
Subject: Filtering using NBAR

> Folks,
> Has anyone actually got NBAR filtering working? I have the below
> configured on my router and it doesn't seem to work. This is a config I
> copied from one of us in this group awhile ago. Also, Please advise if
> *.exe* is a mime-type? I thought mime-types are something like
> Media/Audio....
>
> Here is my config. Thanks for any help.
>
> ###############################################################
> class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*readme.exe*"
> match protocol http url "*root.exe*"
> match protocol http url "*_vti_bin*"
> match protocol http url "*_mem_bin*"
> match protocol http url "*.eml*"
> match protocol http url "*.exe*"
> match protocol http mime ".exe"
> match protocol http mime ".pif"
> match protocol http mime ".scr"
>
>
> policy-map mark-inbound-http-hacks
> class http-hacks
> set ip dscp 1
>
>
> interface FastEthernet0/0/0
> ip address 192.168.1.1 255.255.255.0
> ip access-group 100 1
> no ip route-cache distributed
> full-duplex
> service-policy input mark-inbound-http-hacks
> no cdp enable
>
>
> access-list 100 deny ip any any dscp 1 log
> access-list 100 permit ip any any
> ##############################################
>
>
>
> -Frank

• Next message: Liu Jianxin-qch1927: "RE: Backup Interface using Dialer Profile Problem"
• Previous message: Albert Lu: "RE: OSPF / IGRP update drop"
• Maybe in reply to: Frank Kim: "Filtering using NBAR"
• Next in thread: Tim Szigeti: "RE: Filtering using NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:37 GMT-3