My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:
class-map match-all msn
match protocol imap
match access-group name Permited_MSN
ip access-list extended Permited_MSN
deny ip host 192.168.1.x
permit ip any any
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
ip nat inside
service-policy input msnmap
Doing a show policy-map, we never see matched packets being dropped.
Cisco1811W#show policy-map interface bvi 1
Service-policy input: msnmap
Class-map: msn (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol imap
Match: access-group name Permited_MSN
Class-map: class-default (match-any)
1722583 packets, 929916071 bytes
5 minute offered rate 612000 bps, drop rate 0 bps
Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy?
Any comment on this is highly appreciated.