Cisco SMB Support Assistant

Cisco |

Profile |

Contacts & Feedback |

Cisco SMB Support Assistant

Configure Cisco IOS URL Filtering on a Router with Security Device

Manager
Home > Work With My Routers > Cisco Routers > Configure Cisco IOS URL Filtering on a Router with Security Device Manager

Service Requests

Configure Cisco IOS URL Filtering on a Router with Security Device Manager
Open a service request
Update a service request

Introduction
Requirements
Configure Cisco IOS URL Filtering on a Router
Configure Cisco IOS URL Filtering
Configure Local URL List
Configure a URL Filtering Server
Next Step
Troubleshoot the Procedure
Related Information

Download PDF

Configure Cisco
IOS URL Filtering
on a Router with
Security Device
Manager

Feedback

Please rate this site:

++

+/-

--

Suggestions for improvement:

Introduction
Cisco IOS URL Filtering provides a way to permit or block specific Websites based on policies defined within Cisco If Cisco may contact you for more details
IOS Software. This document explains how to configure Cisco IOS URL Filtering on your router with SDM and it
or for future feedback opportunities,
applies to 1800, 2800 and 3800 series Cisco routers. Legacy platforms are also supported.
please enter your contact information:
Back to Top

Full
Name:
Email:

Requirements
To perform the steps described in this document, you need to have these items:

Router which runs Cisco IOS Software Advanced Security images, supporting the K9 bundle on 1800,
2800, and 3800 Series routers

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (1 of 20)6/2/2008 3:45:54 PM

Submit

Help

Cisco SMB Support Assistant

Cisco Router and Security Device Manager (SDM) 2.3 version

You must have completed Configure Your Router with Security Device Manager

Complete the LAN Addressing Worksheet from the Site Survey

Back to Top

Configure Cisco IOS URL Filtering on a Router

Cisco IOS URL Filtering provides an easy and inexpensive way to filter URLs based on corporate policies without
the need for any external filtering servers. URL filtering allows you to control the access to Internet websites by
permitting or denying access to specific websites based on the information contained in an URL list.
Configure Cisco IOS URL Filtering
Follow these steps to Configure Cisco IOS URL Filtering:
1. Open a web browser and the field L6A of the LAN Addressing Worksheet. Press Enter to launch SDM.
For more information on how to launch, type http:// router-IP-address in the Address field. Use the IP
address that you entered in SDM, refer to Configure your Router with Security Device Manager.
Note: This document uses examples from SDM version 2.3. Other versions of SDM displays different
output.
2. Click Configure.

3. Click the Firewall and ACL tab.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (2 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

4. Choose Basic Firewall and click Launch the Selected Task.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (3 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

5. On the Basic Firewall Configuration Wizard, click Next.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (4 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

6. On the Basic Firewall Interface Configuration screen, select the interfaces: FastEthernet0 as the
outside (untrusted) interface and Default Vlan 20 as the inside (trusted) interface and click Next.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (5 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

7. In the Warning message window, click OK.

8. The Basic Firewall Security Configuration wizard provides preconfigured application security policies.
Set the slider to Medium Security and click Next.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (6 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

9. On the Basic Firewall Domain Name Server Configuration screen, check Enable DNS based
hostname to address translation and enter the IP address of the primary server from the field L4 and
L5 of the LAN Addressing Worksheet and click Next.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (7 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

10. On the Internet Firewall Configuration Summary screen, click Finish.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (8 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

11. In the Commands Delivery Status window, click OK.

12. In the Information window, click OK. Next, you are directed to the Edit Firewall Policy/ACL tab next to
the Firewall and ACL section.
http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (9 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

Configure Local URL List

If the Cisco IOS image on the router supports URL filtering but does not support Zone-based Policy Firewall (ZPF),
you can maintain one local URL list on the router. This list is used by all Application Security policies in which the
URL filtering is enabled.
Note: Cisco IOS images of release 12.4(9)T and later support all the ZPF features that SDM supports. In a ZPF
configuration, a local URL list can be created for each URL filtering parameter map. Contact the SMB Technical
Assistance Center (SMB TAC) for further assistance.
Follow these steps to configure Local URL List:
1. On the Firewall and ACL screen, click Application Security.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (10 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

2. Next to Application Security settings, click URL Filtering.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (11 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

3. Check the box Enable URL Filtering. The Add URL... button is activated. Click Add URL tab.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (12 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

4. In the Add Local URL window, enter a complete domain name such as www.cisco.com. Select Permit
and click OK. All HTTP traffic destined to this domain are permitted.

5. Click Add URL again to block websites you want; the Add Local URL dialog appears again. This time,
enter a partial domain name such as .yahoo.com and select Deny. Click OK. All HTTP traffic destined
to the URLs whose domain names end with this partial domain name, such as mail.yahoo.com and
smallbusiness.yahoo.com, are denied (blocked).

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (13 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

6. Click Apply Changes at the bottom of the screen.

Note: In some cases, users maintain a list of URLs they want to allow or disallow access. Use the
Import URL List button at the top corner of the screen to import such a URL list from your PC to the
router. The URL list that you select must have a .txt or .csv extension.
7. In the Warning message window, click OK.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (14 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

8. In the Commands Delivery Status window, click OK.

9. Click Save.

Configure a URL Filtering Server

The router can send HTTP requests to third party URL filtering servers such as Websense, N2H2, or
SmartFiltering that are capable to store much larger URL lists than the router can store. If the router is configured
with a URL filter server list, the router sends requests that do not match entries in the local list to the URL filter
server it has a connection to, and permits or denies the request based on the response it receives from the server.
Note: Cisco IOS images of release 12.4(9)T and later support all the ZPF features that SDM supports. In a ZPF
configuration, a local URL list can be created for each URL filtering parameter map. You can use Cisco SDM to
create list entries and you can import entries from a list stored on your PC. When a local URL list is used in
combination with URL filter servers, local entries are used first.
http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (15 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

Follow these steps to configure a URL Filtering Server:

1. Next to Application Security tab, expand URL Filtering and click URL Filter Servers.

2. In the URL Filter Server window, click Add and select the Add Websense.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (16 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

3. In the Add Websense Server window, make these changes to defaults:

a. Next to IP address/Hostname filed enter the IP Address of the Websense server. For the IP
address use the Secure Server network IP address that you entered in field L6C of the Secure
Server VLAN Addressing Worksheet.
b. For "Direction", choose inside if the URL filter server is part of the inside network. This is
usually one of the networks that the router LAN interfaces connect to. Choose outside if the
router is in the outside network. This is usually one of the networks that the router WAN
interfaces connect to. In our example, inside is entered.
c. Leave the rest to the default and click OK.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (17 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

4. Click Apply Changes.

5. Click Save.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (18 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

Back to Top

Next Step
You have now configured URL Filtering on your router.
To make further changes to your router, refer to the Router Support Page.
To configure other devices in your network, refer to the Configuration Overview Page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not
solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.
Problem
You added a new firewall rule to permit
or deny access to a website but it does
not work.

Cause(s) and Suggested Solution(s)

Contact the SMB Technical Assistance Center (SMB

TAC) for assistance.

Back to Top

Related Information
http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (19 of 20)6/2/2008 3:45:54 PM

Cisco SMB Support Assistant

Set Up Internet Security on a Cisco Router.

Configure Your Router with Security Device Manager
Site Survey
Configure an IP Address on Your PC

1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.

http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_IOS_URL_Filtering_SDM.html (20 of 20)6/2/2008 3:45:54 PM