2 Replies Latest reply on Sep 6, 2013 9:37 AM by levi Branched from an earlier discussion.

    Permitting only web filter to get to internet

    jgard New Member

      Sorry for the late response, I've been on vacation. Unfortunately I never got this to work....somewhere along the network it was stripping the vlan tags off the packets (found that out via wireshark). Due to a time schedule, I ended up putting my web filter in proxy mode. All is working fine. I was hoping you can help me with blocking all internet traffic, with the exception of the web filter. I know it would be something along this line, but i'm not clear on where it belongs.


      permit tcp host eq www any ack

      deny tcp any any eq www


      Thanks again Noor!

        • Re: Permitting only web filter to get to internet

          jgard - I branched your question to a new topic.


          The rule would need to be applied to the access-policy/security zone that is assigned to your LAN interface. The ACL would look something like this:


          ip access-list ext Web_Filter

             permit tcp host any eq www


          ip policy-class Private

             nat source list Web_Filter interface ppp 1 overload


          Since internet traffic from your LAN must be NATted to get out to the internet, by restricting which traffic we NAT, we can restrict which hosts can get out to the internet. Let us know if you have any questions.




          • Re: Permitting only web filter to get to internet


            I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.