When using NAT, I understand that the translation is done BEFORE QoS is applied for inbound-to-outbound traffic. If this is correct, how would an ACL look if I wanted to restrict one host on the inside from going out a certain port?
Public IP: 188.8.131.52
Private IP: 192.168.1.50
If a service policy is applied as output on the public interface, then QoS would match on the 184.108.40.206 address, but if I wanted to restrict cnn.com, I would restrict everyone behind that address. Is there a way to restrict just the one host?
I've been using NBAR and I can't get anything to match, for whatever reason, so I'm wondering if it has something to do with NAT. Does anyone have a good example of a config that is using NAT, NBAR, and blocking either whole websites or, better yet, mime types?