cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jgard
New Contributor

Permitting only web filter to get to internet

Jump to solution

Sorry for the late response, I've been on vacation. Unfortunately I never got this to work....somewhere along the network it was stripping the vlan tags off the packets (found that out via wireshark). Due to a time schedule, I ended up putting my web filter in proxy mode. All is working fine. I was hoping you can help me with blocking all internet traffic, with the exception of the web filter. I know it would be something along this line, but i'm not clear on where it belongs.

permit tcp host 10.7.32.249 eq www any ack

deny tcp any any eq www

Thanks again Noor!

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Permitting only web filter to get to internet

Jump to solution

- I branched your question to a new topic.

The rule would need to be applied to the access-policy/security zone that is assigned to your LAN interface. The ACL would look something like this:

ip access-list ext Web_Filter

   permit tcp host 10.7.32.249 any eq www

ip policy-class Private

   nat source list Web_Filter interface ppp 1 overload

Since internet traffic from your LAN must be NATted to get out to the internet, by restricting which traffic we NAT, we can restrict which hosts can get out to the internet. Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Permitting only web filter to get to internet

Jump to solution

- I branched your question to a new topic.

The rule would need to be applied to the access-policy/security zone that is assigned to your LAN interface. The ACL would look something like this:

ip access-list ext Web_Filter

   permit tcp host 10.7.32.249 any eq www

ip policy-class Private

   nat source list Web_Filter interface ppp 1 overload

Since internet traffic from your LAN must be NATted to get out to the internet, by restricting which traffic we NAT, we can restrict which hosts can get out to the internet. Let us know if you have any questions.

Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: Permitting only web filter to get to internet

Jump to solution

:


I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi