From: Lamine BOUAFIA (b_lamine@yahoo.fr)
Date: Sat Aug 04 2007 - 03:48:01 ART
Hi Nick,
Thank you for you reply.
But if any host that is not in access-list 1 try to access one of the
websites in class-map ACCEPTED_WEB, it will get dscp value set to 1. and
that what I want. Permit access-list 1 and any other traffic what access one
of the websites permitted in class-map ACCEPTED_WEB. Other traffic well be
dropped.
Thanks,
lamine
-----Message d'origine-----
De : Nick Payton [mailto:cisco@paytonsplace.net]
Envoyi : samedi 4 ao{t 2007 06:27
@ : b_lamine@yahoo.fr; ccielab@groupstudy.com
Objet : RE: block website using NBAR
Lamine,
You are not NATing anyone who isn't in access-list 1 since they are not
getting the dscp value set to 1 and in turn matching your NAT ACL (102). So
they go out to the internet without being NATed and obviously this isn't
going to work being that it is sourced from 1918 space. Try the following
(and I am sure there is probably an easier way to do it but it is late and I
have no creative energy):
class-map match-any ACCEPTED_WEB
match protocol http url "*degrouptest.com*"
match protocol http url "*orange.fr*"
match protocol http url "*clubinternet.fr*"
class-map match-all MANAGER
match access-group 1
!
policy-map TRAFFIC
class MANAGER
set ip dscp 2
class ACCEPTED_WEB
set ip dscp 1
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
service-policy input TRAFFIC
!
interface FastEthernet0/1
ip address 196.46.253.102 255.255.255.252
ip nat outside
ip access-group ALLOW-PER-POLICY out
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip nat inside source list 102 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended ALLOW-PER-POLICY
permit tcp any any eq 80 dscp 2
permit tcp any any eq 80 dscp 1
!
Give that a try, but I am sure this would be a pain in the ass if you have a
lot of policy to manage.
Regards,
Nick
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
b_lamine@yahoo.fr
Sent: Friday, August 03, 2007 10:48 AM
To: ccielab@groupstudy.com
Subject: block website using NBAR
hello experts,
I have faced some problems using nbar to block web traffic.
################################################################
class-map match-any ACCEPTED_WEB
match protocol http url "*degrouptest.com*"
match protocol http url "*orange.fr*"
match protocol http url "*clubinternet.fr*"
class-map match-all MANAGER
match access-group 1
!
policy-map TRAFFIC
class MANAGER
set ip dscp 1
class ACCEPTED_WEB
set ip dscp 1
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
service-policy input TRAFFIC
!
interface FastEthernet0/1
ip address 196.46.253.102 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 102 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.90
access-list 1 permit 192.168.0.36
access-list 1 permit 192.168.0.9
access-list 1 permit 192.168.0.10
access-list 102 permit ip 192.168.0.0 0.0.0.255 any dscp 1
host permited by access-list 1 can access Internet, the others cannot even
if they try to access one of the tree website permited,
any solution please.
Thanks
Lamine
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART