https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751914#M530611 <HTML><HEAD></HEAD><BODY><P>Hi Deepak,</P><P></P><P>After going through the configuration I see that your statement <STRONG>nat (inside) 1 access-list internet-inside</STRONG> should never really work, because the access-list internet-inside doesnt include your internal network at all, have a look:</P><P></P><P>access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow </P><P>access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp </P><P>access-list internet-inside extended permit tcp object-group allowed-ip-addresses any object-group allow </P><P>access-list internet-inside extended permit udp object-group allowed-ip-addresses any object-group allow-udp </P><P></P><P>object-group network allowed-ip-addresses</P><P>network-object 192.168.91.31 255.255.255.255</P><P></P><P>So all the users in the 192.168.88.0 subnet don't fall in it, you woudl definitely need the statement:</P><P></P><P><STRONG>nat (inside) 1 192.168.88.0 255.255.255.0</STRONG></P><P></P><P><STRONG>If you want restrict access to internet for a few machines, lets taske for example, you want to block 192.168.88.10 and 192.168.88.59 machines, then you would need this:</STRONG></P><P></P><P><STRONG>access-list in-out deny ip host 192.168.88.10 any</STRONG></P><P><STRONG>access-list in-out deny ip host 192.168.88.59 any</STRONG></P><P><STRONG>access-list in-out permit ip any any</STRONG></P><P></P><P><STRONG>access-group in-out in interface inside</STRONG></P><P>nat (inside) 1 192.168.88.0 255.255.255.0</P><P></P><P>This is how you should do it.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please do rate helpful posts.</P><P></P><P><STRONG><BR /></STRONG></P></BODY></HTML> Fri, 16 Sep 2011 15:32:39 GMT varrao 2011-09-16T15:32:39Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751913#M530609 <P>Hello experts,</P><P>I am not an expert in security and network so please help me with my below query.</P><P></P><P>I have a ASA 5520 V 7.0(4), the Inernet link is terminated on a router --&gt; switch---&gt; ASA G0/2. The ASA 5520 is connected to the L3 i.e. G0/1---&gt;L3.</P><P>Normally user access the internet using the Proxy server. However I have created natted an access-list for direct internet access for client who frequently visit in our office. Below is the config. </P><P></P><P>The <STRONG>nat (inside) 1 access-list internet-inside </STRONG>works perfectly fine if <STRONG>Nat (inside) 1 192.168.88.0 25.255.255.0</STRONG> is applied, but the problem is If i remove the nat entry <STRONG>Nat (inside) 1 192.168.88.0 25.255.255.0</STRONG> the users cannot access the internet through the access-list internet-inside.</P><P>Is the nat compulsary ? what can I do to make the <STRONG>nat (inside) 1 access-list internet-inside </STRONG>make work with out <STRONG>Nat (inside) 1 192.168.88.0 25.255.255.0</STRONG></P><P>I want to remove the nat so that I can restrict the users of 192.168.88.0 subnet from accessing direct internet and restrict them through the internet-inside accesslist.</P><P></P><P>interface GigabitEthernet0/2<BR />duplex full<BR />nameif internet<BR />security-level 0<BR />ip address X.X.X.242 255.255.255.240 <BR />!<BR />interface GigabitEthernet0/3<BR />nameif inside<BR />security-level 0<BR />ip address 192.168.88.2 255.255.255.0 <BR />! </P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; width: 1px; height: 1px; overflow: hidden; top: 0px; left: -10000px;"></DIV><P>dns domain-lookup internet<BR />dns name-server X.X.96.2<BR />dns name-server X.X.103.100<BR />same-security-traffic permit inter-interface<BR />object-group network inside-subnets<BR />network-object 192.168.94.0 255.255.255.0<BR />network-object 192.168.92.0 255.255.255.0<BR />network-object 192.168.93.0 255.255.255.0<BR />network-object 192.168.95.0 255.255.255.0<BR />network-object 192.168.90.0 255.255.255.0<BR />object-group service allow tcp-udp<BR />port-object eq www<BR />port-object eq 443<BR />port-object eq 21<BR />port-object eq 1352<BR />port-object eq 445<BR />port-object eq 1720<BR />port-object range 3230 3270<BR />port-object eq 444<BR />port-object eq 17515<BR />port-object eq 6057<BR />port-object eq 2598<BR />object-group service allow-udp udp<BR />port-object eq 10000<BR />port-object eq isakmp<BR />port-object eq 2598<BR />object-group network allowed-ip-addresses<BR />network-object 192.168.91.31 255.255.255.255<BR />access-list internet_cryptomap_40 extended permit ip host 192.168.88.253 host 10.64.4.94 <BR />access-list internet_cryptomap_dyn_20 extended permit ip 192.168.88.0 255.255.255.0 172.16.16.0 255.255.255.0 <BR />access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow <BR />access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp <BR />access-list internet-inside extended permit tcp object-group allowed-ip-addresses any object-group allow <BR />access-list internet-inside extended permit udp object-group allowed-ip-addresses any object-group allow-udp <BR />access-list Client5_nat0_outbound extended permit ip 192.168.94.0 255.255.255.0 host 10.64.4.94 <BR />access-list no-nat extended permit ip 192.168.89.0 255.255.255.0 172.16.16.0 255.255.255.0 <BR />access-list no-nat extended permit ip 192.168.88.0 255.255.255.0 172.16.16.0 255.255.255.0 <BR />access-list no-nat extended permit ip host 192.168.88.253 host 10.64.4.94 <BR />access-list no-nat extended permit ip 10.66.254.0 255.255.255.240 10.0.0.0 255.0.0.0 <BR />access-list no-nat extended permit ip 192.168.88.0 255.255.255.0 host 10.124.31.13 <BR />access-list internet-out extended permit tcp any host X.X.X.243 eq smtp <BR />access-list internet-out extended permit tcp any host X.X.X.244 eq ftp <BR />access-list internet-out extended permit ip any host X.X.X.245 <BR />access-list internet_cryptomap_60 extended permit ip 10.66.254.0 255.255.255.240 host 10.124.31.13 <BR />pager lines 24<BR />logging enable<BR />logging timestamp<BR />logging trap informational<BR />logging asdm informational<BR />logging device-id string asa5520<BR />logging host inside 192.168.88.3 17/1514<BR />mtu internet 1500<BR />mtu inside 1500<BR />mtu management 1500<BR />mtu IPS 1500<BR />ip local pool vpnpool 10.10.8.1-10.10.8.254<BR />ip local pool VPN_POOL 10.10.10.1-10.10.10.254<BR />ip local pool rsapool 172.16.16.1-172.16.16.254 mask 255.255.255.0<BR />no failover<BR />icmp permit any inside<BR />icmp permit any management<BR />asdm image disk0:/asdm504.bin<BR />asdm location X.X.X.X 255.255.255.255 internet<BR />asdm location X.X.X.X&nbsp; 255.255.255.255 internet<BR />asdm location X.X.X.X&nbsp; 255.255.255.255 internet<BR />asdm location X.X.X.X 255.255.255.0 inside<BR />asdm location X.X.X.X 255.255.255.255 internet<BR />asdm location X.X.X.X 255.255.255.255 inside<BR />asdm location X.X.X.X&nbsp; 255.255.255.0 internet<BR />asdm location X.X.X.X&nbsp; 255.255.255.255 internet<BR />asdm location X.X.X.X&nbsp; 255.255.255.255 internet<BR />asdm location 192.168.88.33 255.255.255.255 inside<BR />asdm location X.X.X.X&nbsp; 255.255.255.255 internet<BR />asdm location 192.168.88.12 255.255.255.255 inside<BR />asdm location X.X.X.X 255.255.255.240 inside<BR />asdm location 192.168.90.240 255.255.255.240 inside<BR />asdm group inside-subnets inside<BR />no asdm history enable<BR />arp timeout 14400<BR />nat-control<BR />global (internet) 1 interface<BR /><STRONG>nat (inside) 1 access-list internet-inside<BR />nat (inside) 1 192.168.88.0 255.255.255.0</STRONG><BR />static (inside,internet) X.X.X.243 192.168.89.5 netmask 255.255.255.255 <BR />static (inside,internet) X.X.X.244 192.168.88.6 netmask 255.255.255.255 <BR />static (inside,internet) 10.66.254.0 192.168.90.240 netmask 255.255.255.240 <BR />access-group internet-out in interface internet<BR />route internet 0.0.0.0 0.0.0.0 X.X.X.241 1<BR />route inside 192.168.91.0 255.255.255.0 192.168.88.1 1<BR />route inside 192.168.94.0 255.255.255.0 192.168.88.1 1<BR />route inside 192.168.90.0 255.255.255.0 192.168.88.1 1<BR />route inside 192.168.89.0 255.255.255.0 192.168.88.1 1<BR />route inside 192.168.87.0 255.255.255.0 192.168.88.1 1<BR />route inside 192.168.95.0 255.255.255.0 192.168.88.1 1<BR />route management 192.168.1.100 255.255.255.255 192.168.1.1 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00<BR />timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00<BR />timeout uauth 0:05:00 absolute<BR />aaa-server sdi protocol sdi<BR />aaa-server sdi host 192.168.88.12<BR />aaa-server radius protocol radius<BR />aaa-server radius host 192.168.88.7<BR />key cisco<BR />group-policy RSA_POLICY internal<BR />group-policy RSA_POLICY attributes<BR />banner value Welcome to **** RSA Networks! <BR />vpn-idle-timeout none<BR />vpn-session-timeout none<BR />vpn-tunnel-protocol IPSec <BR />webvpn<BR />group-policy DfltGrpPolicy attributes<BR />banner value Welcome to *** VPN.<BR />wins-server none<BR />dns-server none<BR />dhcp-network-scope none<BR />vpn-access-hours none<BR />vpn-simultaneous-logins 3<BR />vpn-idle-timeout 30<BR />vpn-session-timeout none<BR />vpn-filter none<BR />vpn-tunnel-protocol IPSec webvpn<BR />password-storage disable<BR />ip-comp disable<BR />re-xauth disable<BR />group-lock none<BR />pfs disable<BR />ipsec-udp disable<BR />ipsec-udp-port 10000<BR />split-tunnel-policy tunnelall<BR />split-tunnel-network-list none<BR />default-domain none<BR />split-dns none<BR />secure-unit-authentication disable<BR />user-authentication disable<BR />user-authentication-idle-timeout 30<BR />ip-phone-bypass disable<BR />leap-bypass disable<BR />nem disable<BR />backup-servers keep-client-config<BR />client-firewall none<BR />client-access-rule none<BR />webvpn<BR />&nbsp; functions url-entry<BR />&nbsp; port-forward-name value Application Access<BR />group-policy VPN_POLICY internal<BR />group-policy VPN_POLICY attributes<BR />&nbsp; vpn-idle-timeout none<BR />vpn-session-timeout none<BR />vpn-tunnel-protocol IPSec <BR />pfs disable<BR />ipsec-udp enable<BR />split-tunnel-policy tunnelall<BR />webvpn<BR />username ********password 2dYqgmUa9wXbpdNS encrypted privilege 15<BR />aaa authentication ssh console LOCAL <BR />http server enable<BR />http 192.168.88.0 255.255.255.0 inside<BR />http 192.168.1.0 255.255.255.0 management<BR />crypto ipsec transform-set ****_SET esp-3des esp-md5-hmac <BR />crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac <BR />crypto map VPN_CRY_MAP 40 match address internet_cryptomap_40<BR />crypto map VPN_CRY_MAP 40 set peer X.X.X.174 <BR />crypto map VPN_CRY_MAP 40 set transform-set ****_SET<BR />crypto map VPN_CRY_MAP 60 match address internet_cryptomap_60<BR />crypto map VPN_CRY_MAP 60 set peer X.X.X.234 <BR />crypto map VPN_CRY_MAP 60 set transform-set ****_SET<BR />crypto map VPN_CRY_MAP interface internet<BR />isakmp identity auto <BR />isakmp enable internet<BR />isakmp enable inside<BR />isakmp policy 2 authentication pre-share<BR />isakmp policy 2 encryption des<BR />isakmp policy 2 hash md5<BR />isakmp policy 2 group 2<BR />isakmp policy 2 lifetime 86400<BR />isakmp policy 10 authentication pre-share<BR />isakmp policy 10 encryption 3des<BR />isakmp policy 10 hash sha<BR />isakmp policy 10 group 2<BR />isakmp policy 10 lifetime 86400<BR />isakmp policy 30 authentication pre-share<BR />isakmp policy 30 encryption 3des<BR />isakmp policy 30 hash md5<BR />isakmp policy 30 group 2<BR />isakmp policy 30 lifetime 86400<BR />isakmp nat-traversal&nbsp; 20<BR />tunnel-group ipsec1 type ipsec-ra<BR />tunnel-group ipsec1 general-attributes<BR />address-pool rsapool<BR />tunnel-group ipsec1 ipsec-attributes<BR />pre-shared-key password<BR />tunnel-group X.X.X.6 type ipsec-l2l<BR />tunnel-group X.X.X.6 ipsec-attributes<BR />pre-shared-key passw0rd<BR />peer-id-validate nocheck<BR />tunnel-group X.X.X.174 type ipsec-l2l<BR />tunnel-group X.X.X.174 ipsec-attributes<BR />pre-shared-key Passw0rd<BR />tunnel-group X.X.X.234 type ipsec-l2l<BR />tunnel-group X.X.X.234 ipsec-attributes<BR />pre-shared-key <A href="mailto:123456789****@##*SOL" target="_blank">1XXXXX</A></P><P>telnet 192.168.88.0 255.255.255.0 inside<BR />telnet timeout 1440<BR />ssh 192.168.88.0 255.255.255.0 inside<BR />ssh timeout 60<BR />console timeout 10<BR />dhcpd lease 3600<BR />dhcpd ping_timeout 50<BR />dhcprelay server 192.168.88.7 inside<BR />dhcprelay timeout 60<BR />!<BR />class-map class_ftp<BR />match port tcp eq ftp-data<BR />class-map IPSclass<BR />match any<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />class-map class_smtp<BR />!<BR />!<BR />policy-map IPSpolicy<BR />class IPSclass<BR />&nbsp; ips promiscuous fail-open<BR />class inspection_default<BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />class class_smtp<BR />policy-map global_policy<BR />class class_ftp<BR />&nbsp; inspect ftp <BR />class inspection_default<BR />class class_smtp<BR />policy-map test<BR />!<BR />service-policy IPSpolicy global<BR />ntp server 192.168.88.7 source inside prefer<BR />Cryptochecksum:df2f0d0aa79aead88d0c5e275555c1dd<BR />: end</P> Mon, 11 Mar 2019 21:25:53 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751913#M530609 Deepak Suryavanshi 2019-03-11T21:25:53Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751914#M530611 <HTML><HEAD></HEAD><BODY><P>Hi Deepak,</P><P></P><P>After going through the configuration I see that your statement <STRONG>nat (inside) 1 access-list internet-inside</STRONG> should never really work, because the access-list internet-inside doesnt include your internal network at all, have a look:</P><P></P><P>access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow </P><P>access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp </P><P>access-list internet-inside extended permit tcp object-group allowed-ip-addresses any object-group allow </P><P>access-list internet-inside extended permit udp object-group allowed-ip-addresses any object-group allow-udp </P><P></P><P>object-group network allowed-ip-addresses</P><P>network-object 192.168.91.31 255.255.255.255</P><P></P><P>So all the users in the 192.168.88.0 subnet don't fall in it, you woudl definitely need the statement:</P><P></P><P><STRONG>nat (inside) 1 192.168.88.0 255.255.255.0</STRONG></P><P></P><P><STRONG>If you want restrict access to internet for a few machines, lets taske for example, you want to block 192.168.88.10 and 192.168.88.59 machines, then you would need this:</STRONG></P><P></P><P><STRONG>access-list in-out deny ip host 192.168.88.10 any</STRONG></P><P><STRONG>access-list in-out deny ip host 192.168.88.59 any</STRONG></P><P><STRONG>access-list in-out permit ip any any</STRONG></P><P></P><P><STRONG>access-group in-out in interface inside</STRONG></P><P>nat (inside) 1 192.168.88.0 255.255.255.0</P><P></P><P>This is how you should do it.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please do rate helpful posts.</P><P></P><P><STRONG><BR /></STRONG></P></BODY></HTML> Fri, 16 Sep 2011 15:32:39 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751914#M530611 varrao 2011-09-16T15:32:39Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751915#M530612 <HTML><HEAD></HEAD><BODY><P>Hi Varun,</P><P></P><P>Thanks for you quick reply.</P><P>Even if I add 192.168.88.0 in the below object group, the users in 192.168.88.0 cant access internet, I have already tried it.</P><P>object-group network inside-subnets</P><P>network-object 192.168.94.0 255.255.255.0</P><P>network-object 192.168.92.0 255.255.255.0</P><P>network-object 192.168.93.0 255.255.255.0</P><P>network-object 192.168.95.0 255.255.255.0</P><P>network-object 192.168.90.0 255.255.255.0</P><P></P><P>access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow</P><P></P><P>access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp</P><P>Access list internet-inside works fine for rest of the segments but only if nat (inside) 1 192.168.88.0 255.255.255.0 is applied.</P></BODY></HTML> Sat, 17 Sep 2011 04:40:45 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751915#M530612 Deepak Suryavanshi 2011-09-17T04:40:45Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751916#M530613 <HTML><HEAD></HEAD><BODY><P>Hi Deepak,</P><P></P><P>Just add this ACL and you would see it working:</P><P></P><P>access-list internet-inside permit ip 192.168.88.0 255.255.255.0 any</P><P></P><P>Let me know how it goes.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Sat, 17 Sep 2011 04:49:43 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751916#M530613 varrao 2011-09-17T04:49:43Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751917#M530615 <HTML><HEAD></HEAD><BODY><P>Varun,</P><P></P><P></P><P>If I apply access-list internet-inside permit ip 192.168.88.0 255.255.255.0 any All works fine</P><P>but if I remove the above access list the below stops working, why is it so ?</P><P>object-group network inside-subnets</P><P>network-object 192.168.94.0 255.255.255.0</P><P>network-object 192.168.92.0 255.255.255.0</P><P>network-object 192.168.93.0 255.255.255.0</P><P>network-object 192.168.95.0 255.255.255.0</P><P>network-object 192.168.90.0 255.255.255.0</P><P>network-object 192.168.88.0 255.255.255.0 <EVEN if="" i="" add="" this="" entry="" then="" too="" none="" can="" access="" the="" internet=""></EVEN></P><P></P><P>object-group service allow tcp-udp</P><P>port-object eq www</P><P>port-object eq 443</P><P>port-object eq 21</P><P>port-object eq 1352</P><P>port-object eq 445</P><P>port-object eq 1720</P><P>port-object range 3230 3270</P><P>port-object eq 444</P><P>port-object eq 17515</P><P>port-object eq 6057</P><P>port-object eq 2598</P><P>object-group service allow-udp udp</P><P>port-object eq 10000</P><P>port-object eq isakmp</P><P>port-object eq 2598</P><P>access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow</P><P>access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp</P><P>global (internet) 1 interface</P><P>nat (inside) 1 access-list internet-inside</P><P></P><P>Regards</P><P>Deepak</P></BODY></HTML> Sat, 17 Sep 2011 06:52:16 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751917#M530615 Deepak Suryavanshi 2011-09-17T06:52:16Z https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751918#M530617 <HTML><HEAD></HEAD><BODY><P>That because of the object-group ports below:</P><P></P><P>object-group service allow tcp-udp</P><P>port-object eq www</P><P>port-object eq 443</P><P>port-object eq 21</P><P>port-object eq 1352</P><P>port-object eq 445</P><P>port-object eq 1720</P><P>port-object range 3230 3270</P><P>port-object eq 444</P><P>port-object eq 17515</P><P>port-object eq 6057</P><P>port-object eq 2598</P><P>object-group service allow-udp udp</P><P>port-object eq 10000</P><P>port-object eq isakmp</P><P>port-object eq 2598</P><P></P><P></P><P>If you add:</P><P></P><P>access-list Internet-inside permit tcp 192.168.88.0 255.255.255.0 any object-group allow</P><P></P><P>it wont work, since it includes the source ports defined in the object group, but when a user initiates an internet connection, the request can go from any random source port could be 30000 or 40000 or anything, so those ports cannot be defined in the object -group.</P><P></P><P>You might need to put the correct access-list in it.</P><P></P><P>Hope this helps</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Sat, 17 Sep 2011 08:03:42 GMT https://community.cisco.com/t5/network-security/asa-5520-nat-access-list-query-for-internet-access/m-p/1751918#M530617 varrao 2011-09-17T08:03:42Z