I'm trying to use NBAR in a way that a reverse proxy server would accept specific documents or headers for packets destined to a http server on the inside of my network.

For example: I have a router with two interfaces.. Outside and inside.

I have a two class maps, one execting approved documents(setting dscp 2)and one wanting to reject the rest(setting dscp to 3). I would prefer to accept only a few and then deny the rest similar to a firewall. Although all the examples show just the opposite(deny a few and except the rest). I tag these with a policy and apply the policy to the outside interface in the inbound direction. I then have an access list permiting and denying based on the dscp bit on the inside interface in the out direction.. Although it deny's my internal clients from surfing the net(I don't want this to effect my internal clients from surfing the net). I then tried to tie the class map to an access list with specific values(any to inside server eq 80). Below.. But that doesn't work either.. The idea would be to tag the packets(dscp 2) coming inbound from the internet that were approved docs(/,*.jpg,etc) and then deny the rest of the http inbound packets and tag them(dscp 3)... Is anybody doing this and does it work...(I'm doing quite a bit of other things on this router as well(NAT, etc)

class-map match-any http-permited

match protocol http url "/"

match protocol http url "*.jpg*"

match protocol http url "*.htm*"

class-map match-all http-deny

match access-group 122

!

!

policy-map mark-inbound-permitted

class http-permited

set ip dscp 2

class http-deny

set ip dscp 3

access-list 122 permit tcp any Global outside address eq 80

access-list 121 permit ip any any dscp 2

access-list 121 deny ip any any dscp 3

access-list 121 permit ip any any

inside interface

ip access-group 121 out