Sorry for the late response, I've been on vacation. Unfortunately I never got this to work....somewhere along the network it was stripping the vlan tags off the packets (found that out via wireshark). Due to a time schedule, I ended up putting my web filter in proxy mode. All is working fine. I was hoping you can help me with blocking all internet traffic, with the exception of the web filter. I know it would be something along this line, but i'm not clear on where it belongs.
permit tcp host 10.7.32.249 eq www any ack
deny tcp any any eq www
Thanks again Noor!
- I branched your question to a new topic.
The rule would need to be applied to the access-policy/security zone that is assigned to your LAN interface. The ACL would look something like this:
ip access-list ext Web_Filter
permit tcp host 10.7.32.249 any eq www
ip policy-class Private
nat source list Web_Filter interface ppp 1 overload
Since internet traffic from your LAN must be NATted to get out to the internet, by restricting which traffic we NAT, we can restrict which hosts can get out to the internet. Let us know if you have any questions.
Thanks,
Noor
- I branched your question to a new topic.
The rule would need to be applied to the access-policy/security zone that is assigned to your LAN interface. The ACL would look something like this:
ip access-list ext Web_Filter
permit tcp host 10.7.32.249 any eq www
ip policy-class Private
nat source list Web_Filter interface ppp 1 overload
Since internet traffic from your LAN must be NATted to get out to the internet, by restricting which traffic we NAT, we can restrict which hosts can get out to the internet. Let us know if you have any questions.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi