How to Configure a Router to block websites with Access-List

Here are the simple steps to follow to block a website to the user who are accessing Internet through your Router

Step 1: Configure a DNS server

Let's say we want to block access to the creatively named www.block-site.com. We don't know the IP address, and we don't want to know it. When we configure the Access List in the router—the Cisco IOS can look it up and fill it automatically.

To do this, we need at least one DNS server configured on the router. To configure a DNS server, use the ip name-server command. Here's an example:

Router(config)# ip name-server 1.1.1.1 2.2.2.2

In this case, we configured a primary and a backup DNS server for the router to use to resolve DNS names. This doesn't affect any traffic flowing through the router; the router will use these DNS servers when we ping a Web server by name. Here's an example:

Router# ping www.khatrinetworks.blogspot.com

Translating "www.khatrinetworks.blogspot.com"...domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.113.101, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#

In this example, the router used the domain name server we specified (i.e., 1.1.1.1) to resolve the DNS name. It successfully translated the DNS name to 216.239.113.101.

If we hadn't already specified a DNS server, then the router would have returned something like the following:

Translating "www.khatrinetworks.blogspot.com"...domain server (255.255.255.255)

% Unrecognized host or address, or protocol not running.

Step 2: Create the ACL

To actually block the undesirable Web site, we need to create an access control list (ACL) to define exactly what we want to block. Here's an example:

Router(config)# access-list 101 deny tcp any host www.block-site.com eq www
 Translating "www.block-site.com"...domain server (1.1.1.1) [OK]

Router(config)# access-list 101 permit ip any any
(Do not forget this permit tcp any any, As you know otherwise all web traffic will be denied)

This ACL denies all Web traffic from any source going to the specified Web site. After blocking that traffic, it will also allow all other Web traffic from any source to any destination. Finally, because of the implied deny, it will deny all other traffic.

What if you want to determine which IP addresses are trying to go to the blocked Web site? You can log this information using the log keyword. Here's an example:

Router(config)# access-list 101 deny tcp any host www.block-site.com eq www log

Step 3: Avoid this

Here's one issue to keep in mind. After we entered the first line of the ACL above, notice how the router used the DNS server to resolve the DNS name. It then replaced the IP address that the hostname resolved to in the ACL. Here's a closer look at the configuration:

Router# sh run
inc access-list 101

access-list 101 deny tcp any host 66.116.109.62 eq www

This is a nice feature, but it can be problematic for a couple of reasons. First, the IP address entered is only the first IP address that the DNS server responded to. If this is a large Web site that has multiple servers (such as a search engine), the ACL only contains the first IP address that the DNS server responded with—you'll need to manually block the other IP addresses. Here's an example:

C:\> nslookup www.google.com

Server: DNSSERVER

Address: 1.1.1.1

Non-authoritative answer:

Name: www.google.com

Addresses: 64.233.167.104, 64.233.167.147, 64.233.167.99

Aliases: www.google.com

In addition, if the IP address of the blocked Web server changes, your ACL will remain the same. You would need to manually update the ACL.

Step 4: Apply the ACL

Just because we've created the ACL doesn't mean the router is actually using it—we still have to apply the ACL. We created this ACL with the assumption that it's blocking traffic from our local LAN that's going out to the WAN (i.e., the Internet). That's because we formatted the ACL with source then destination.

Because of this design, we need to apply the ACL in the OUTBOUND direction on the router. Here's an example:

Router(config)# int serial 0/0

Router(config-if)# ip access-group 101 out

That is it… Your have successfully blocked the www.block-site.com

How to view Routing Table in Windows

Every computer on TCP/IP network (i.e. connect to Internet or LAN) depends on IP routing table to make routing decisions. Routing table, otherwise also known as Routing Information Base (RIB), is an electronic table (file) or database type object that is stored in a router or a networked computer to store the routes, and in some cases, metrics associated with those routes to particular network destinations, i.e. IP address.


Routing table is important for troubleshooting or identifying network problem, when all other components such as network cable, LAN connectivity, Ethernet (or FastEthernet or GigabitEthernet) port appear to have no error or issue. In rare cases, the routing table may point to incorrect interface to route, or has other routing problems, especially in the case of system with two or multiple NIC cards or network adapters.

To view, show or display the routing table in Windows or Linux (works on most Linux and Unix such as Ubuntu, RedHat, CentOS, etc.) operating system, use the following commands. In Windows, open a command prompt to issue the command:

netstat -rn

Alternatively, just type the following command in Linux:

route

Or, the following command in Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and etc:

route print

How to add an IP Route to Windows Routing Table

On some system connected to complex and complicated network, administrator may require to configure a more advanced network topology with additional routing routes requirement. For example, customized route is required when the NIC interface does not know where to route to an IP address on network segment which does not belong to the same subnet, such as router at 192.168.1.1 to access node on 10.1.1.1 and subnet mask of 255.255.255.0. In any cases, administrator or user can add a route into TCP/IP Routing Table using DOS command prompt with route command.


Add IP Route Rules into Windows Routing Table in Command Prompt with Route Command

1. Click Start -> Run (or at Start Search in Windows Vista or Windows 7), and type in Cmd, then press Enter to open a command prompt window.

2. The syntax of route command to add a routing table entry:

route ADD [destination IP address or subnet] MASK [subnet mask] [gateway IP address] [metric] IF [interface]

Not all parts of the syntax is mandatory. Some if optional, such as metric and network interface.

Example command to add a route to 10.1.1.0/24 subnet network through 192.168.1.8 gateway router:

route ADD 10.1.1.0 MASK 255.255.255.0 192.168.1.8

To make the route persistent across boots of the system, use -p flag in addition to route add command. Else, the route is not preserved once system restarts. For example:

route -p ADD 10.1.1.0 MASK 255.255.255.0 192.168.1.8

Note: route help will display different commands and switches supported by route command.

3. Press Enter to execute the route command.

4. View the routing table to verify that the new route rule is added correctly.

How to Delete/Remove an IP Route from Windows Routing Table

IP routing table in Windows box, controls how a data packet is being forwarded and routed when communicating with remote host or destination. Normally, Windows operating system will manage the route rules automatically. However, sometime, the routes may be incorrectly defined, especially in complex networking environment or system with more than one network adapters. In some other cases, accidentally insert a TCP/IP route entry incorrectly also require a deletion of it from the routing table.

To delete a route from Windows routing table, follow these steps:

1. Click Start -> Run, and enter Cmd, and then press Enter to open a command prompt window. In Windows Vista or Windows 7, use Start Search instead.

2. The syntax for the route command to delete a routing table entry is:

route delete [destination]


For example,
route delete 10.0.0.0

3. Press enter after entering the command to delete and remove a route.

4. After deletion, view the routing table to verify that the correct routing table rule was deleted.