QoS, NBAR, and NAT - Help

Unanswered Question
Mar 13th, 2009


When using NAT, I understand that the translation is done BEFORE QoS is applied for inbound-to-outbound traffic. If this is correct, how would an ACL look if I wanted to restrict one host on the inside from going out a certain port?

Public IP:

Private IP:

If a service policy is applied as output on the public interface, then QoS would match on the address, but if I wanted to restrict cnn.com, I would restrict everyone behind that address. Is there a way to restrict just the one host?

I've been using NBAR and I can't get anything to match, for whatever reason, so I'm wondering if it has something to do with NAT. Does anyone have a good example of a config that is using NAT, NBAR, and blocking either whole websites or, better yet, mime types?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rpfinneran Mon, 04/13/2009 - 02:10

Use NBAR to mark the traffic. Then use an ACL blocking to any IP that has that marking.

So, just an example...

class-map match-any CNN

match protocol http url "*cnn.com*"


policy-map CONTROL-HTTP

class CNN

set ip dscp 1


ip access-list extended 110

permit ip host any dscp 1


ip access-list extended DROP

deny ip any any


interface lo200

desc *** My Black Hole ***

ip address

ip access-list DROP in



match ip address 110

set ip next-hop


interface Fa0/0 !(inside int here)

service-policy input CONTROL-HTTP

ip policy route-map BLACK-HOLE-HTTP



This Discussion