topic NAT question one outside address permited to all inside addresses in Network Security

NAT question one outside address permited to all inside addresses

john.wright — Tue, 12 Mar 2019 02:58:44 GMT

What is the proper config to allow a single outside addr access to every device to multiple ports on an inside network?

We have a vendor that supports our access points and other wifi related devices at one of our remotes sites.

The only subnet in use at this site is the inside network with subnet 192.168.223.0/24

I am hopping I do not need to create a static entry for every device and every port because there are a lot!

This is what I have in the 5505 ios 8.2 to allow them to access.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.223.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 100.100.100.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 1

route inside 192.168.223.0 255.255.255.0 192.168.223.254 1

name 99.99.99.99 vendor

access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended deny ip host vendor host 192.168.223.251

access-list outside_access_in_1 extended permit tcp host vendor any object-group xxx
access-list outside_access_in_1 extended permit udp host vendor any object-group xxx

global (outside) 1 100.100.100.3 netmask 255.255.255.0
nat (inside) 1 192.168.223.0 255.255.255.0

access-group outside_access_in_1 in interface outside

None of the inside devices need to initiate access to go outside. All of the traffic these inside devices generate goes to the 192.168.223.251 device which is a server with dual connected NICs.

NAT question one outside address permited to all inside addresse

Jouni Forss — Thu, 31 Oct 2013 15:42:22 GMT

Hi,

If the Vendor doesnt not have any existing connection to your network and wants to connect to your internal network devices through the Internet then every device would need a public IP address. But this isnt really an option with so many devices.

I would suggest that you either provide the Vendor access to your network through a VPN Client connection or better yet configure a L2L VPN connection between your site and the Vendor site.

This would enable the Vendor to connect to your devices with their actual IP addresses.

You could control the Vendor access either with VPN Filter ACL specific to their VPN connection or use an interface ACL to control this traffic provided that some other setting were also changed.

But as I said, if the Vendor is attempting to connect through the Internet without any VPN connection then every device would needs its own public IP address OR you would have to have a DMZ server to which the Vendor connects and the Vendor would have limited access through the DMZ Server to the devices required.

Hope this helps

- Jouni

NAT question one outside address permited to all inside addresse

john.wright — Thu, 31 Oct 2013 19:05:00 GMT

Jouni

Thanks for the response.

I think the VPN tunnel is the best idea.