QoS, NBAR, and NAT - Help

John Blakley · ‎03-13-2009

All,

When using NAT, I understand that the translation is done BEFORE QoS is applied for inbound-to-outbound traffic. If this is correct, how would an ACL look if I wanted to restrict one host on the inside from going out a certain port?

Public IP: 5.5.5.5

Private IP: 192.168.1.50

If a service policy is applied as output on the public interface, then QoS would match on the 5.5.5.5 address, but if I wanted to restrict cnn.com, I would restrict everyone behind that address. Is there a way to restrict just the one host?

I've been using NBAR and I can't get anything to match, for whatever reason, so I'm wondering if it has something to do with NAT. Does anyone have a good example of a config that is using NAT, NBAR, and blocking either whole websites or, better yet, mime types?

Thanks,

John

HTH, John *** Please rate all useful posts ***

rpfinneran · ‎04-13-2009

Use NBAR to mark the traffic. Then use an ACL blocking 192.168.1.50 to any IP that has that marking.

So, just an example...

class-map match-any CNN

match protocol http url "*cnn.com*"

!

policy-map CONTROL-HTTP

class CNN

set ip dscp 1

!

ip access-list extended 110

permit ip host 192.168.1.50 any dscp 1

!

ip access-list extended DROP

deny ip any any

!

interface lo200

desc *** My Black Hole ***

ip address 200.200.200.200 255.255.255.255

ip access-list DROP in

!

route-map BLACK-HOLE-HTTP

match ip address 110

set ip next-hop 200.200.200.200

!

interface Fa0/0 !(inside int here)

service-policy input CONTROL-HTTP

ip policy route-map BLACK-HOLE-HTTP

end