topic Need help for access list problem in Network Security

Need help for access list problem

joel.palen — Tue, 12 Mar 2019 02:35:21 GMT

Cisco 2901 ISR

I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet

I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.

Anybody can help?

DENY 10.25.0.1 – 10.25.0.255

10.25.1.1 – 10.25.1.255

Permit only 1 host for Internet

10.25.7.136 255.255.255.192 ------ TMG Server

Using access-list.

( Current configuration )

object-group network IP

description Block_IP

range 10.25.0.2 10.25.0.255

range 10.25.1.2 10.25.1.255

interface GigabitEthernet0/0

ip address 192.168.2.3 255.255.255.0

ip nat inside

ip virtual-reassembly in max-fragments 64 max-reassemblies 256

duplex auto

speed auto

interface GigabitEthernet0/1

description ### ADSL WAN Interface ###

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

interface Dialer1

description ### ADSL WAN Dialer ###

ip address negotiated

ip mtu 1492

ip nat outside

no ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxxx password 7 xxxxxxxxx

ip nat inside source list 101 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.25.0.0 255.255.0.0 192.168.2.1

access-list 101 permit ip 10.25.0.0 0.0.255.255 any

access-list 105 deny ip object-group IP any

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

Need help for access list problem

cadet alain — Sun, 08 Sep 2013 10:42:35 GMT

Hi,

ip access-list extended 101

5 permit ip host 10.25.7.136 any

no 10

This way you'll only NAT this host an not the others so they won't be able to get to the Internet.

Regards

Alain

Regards

Alain

Don't forget to rate helpful posts.

Re: Need help for access list problem

joel.palen — Sun, 08 Sep 2013 11:09:21 GMT

I already use this command before, but it didn't work. The internet is disconnected.

Need help for access list problem

cadet alain — Mon, 09 Sep 2013 08:26:13 GMT

Hi,

you mean other hosts can't get to Internet or this host can't ping 8.8.8.8 ?

Just make sure your clients are configured to use the proxy to get to internet and try to ping 8.8.8.8 from one of these clients and look at the NAT table with sh ip nat translation on the router.

Regards

Alain

Don't forget to rate helpful posts.

Need help for access list problem

joel.palen — Mon, 09 Sep 2013 10:39:12 GMT

Hello,

Host will can't get internet connection

I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any

and change the configuration .... ip access-list extended 101

5 permit ip host 10.25.7.136 any

In this case I will allow only host 10.25.7.136 but it isn't work.

No internet connection from the TMG Server.

Need help for access list problem

cadet alain — Mon, 09 Sep 2013 14:00:39 GMT

Hi,

Does the TMG server know how to get to the internet? Has it got a default route pointing towards the router ?

Regards

Alain

Don't forget to rate helpful posts.

Need help for access list problem

joel.palen — Mon, 09 Sep 2013 16:33:29 GMT

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

TMG server

external lan 10.25.7.136 255.255.255.192

internal lan 10.25.51.10 255.255.255.0