NBAR and HTTP accept only specified inbound http deny the rest
I'm trying to use NBAR in a way that a reverse proxy server would accept specific documents or headers for packets destined to a http server on the inside of my network.
For example: I have a router with two interfaces.. Outside and inside.
I have a two class maps, one execting approved documents(setting dscp 2)and one wanting to reject the rest(setting dscp to 3). I would prefer to accept only a few and then deny the rest similar to a firewall. Although all the examples show just the opposite(deny a few and except the rest). I tag these with a policy and apply the policy to the outside interface in the inbound direction. I then have an access list permiting and denying based on the dscp bit on the inside interface in the out direction.. Although it deny's my internal clients from surfing the net(I don't want this to effect my internal clients from surfing the net). I then tried to tie the class map to an access list with specific values(any to inside server eq 80). Below.. But that doesn't work either.. The idea would be to tag the packets(dscp 2) coming inbound from the internet that were approved docs(/,*.jpg,etc) and then deny the rest of the http inbound packets and tag them(dscp 3)... Is anybody doing this and does it work...(I'm doing quite a bit of other things on this router as well(NAT, etc)
class-map match-any http-permited
match protocol http url "/"
match protocol http url "*.jpg*"
match protocol http url "*.htm*"
class-map match-all http-deny
match access-group 122
set ip dscp 2
set ip dscp 3
access-list 122 permit tcp any Global outside address eq 80
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...