From: Herbert Maosa (asawilunda@googlemail.com)
Date: Sat Aug 04 2007 - 02:11:48 ART
Maybe a topology could help, as well as the output of show policy-map
interface .
Herbert.
On 8/3/07, b_lamine@yahoo.fr <b_lamine@yahoo.fr> wrote:
>
> hello experts,
>
> I have faced some problems using nbar to block web traffic.
> ################################################################
> class-map match-any ACCEPTED_WEB
> match protocol http url "*degrouptest.com*"
> match protocol http url "*orange.fr*"
> match protocol http url "*clubinternet.fr*"
> class-map match-all MANAGER
> match access-group 1
> !
> policy-map TRAFFIC
> class MANAGER
> set ip dscp 1
> class ACCEPTED_WEB
> set ip dscp 1
> !
> interface FastEthernet0/0
> ip address 192.168.0.1 255.255.255.0
> ip nbar protocol-discovery
> ip nat inside
> service-policy input TRAFFIC
> !
> interface FastEthernet0/1
> ip address 196.46.253.102 255.255.255.252
> ip nat outside
> !
> ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> !
> !
> ip nat inside source list 102 interface FastEthernet0/1 overload
> !
> access-list 1 permit 192.168.0.90
> access-list 1 permit 192.168.0.36
> access-list 1 permit 192.168.0.9
> access-list 1 permit 192.168.0.10
>
> access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1
>
> host permited by access-list 1 can access Internet, the others cannot even
> if they try to access one of the tree website permited,
>
> any solution please.
>
> Thanks
> Lamine
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Kindest regards, hm
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART