05-03-2011 08:19 AM - edited 03-11-2019 01:28 PM
Dear All
I have a 5540, and i am trying to allow access to internet for an especific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions,
i have tried with dinamic NAT, but that configuration ask for a specific IP o a Network range, and is not permited to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to asnother zone is needed i think, but i can allow the internet acess to that group
Is there another way to get that , different from NAT, ?
Thanks in advance for any help
05-03-2011 10:02 AM
Hi,
You can use that network object on an access list and then define the NAT, here is how:
object-group network Internet_LAN
network-object object LAN
object network LAN
subnet 10.10.10.0 255.255.255.0
access-list Internet_Policy_NAT extended permit ip object-group Internet_LAN any
Nat (Inside) 10 access-list Internet_LAN
global (outside) 10 x.x.x.x
That would NAT when the Internet_Lan tries to go anywhere on the outside, other networks wont hit this rule and wont be able to access the internet.
Hope this helps.
Mike
05-03-2011 11:08 AM
Thanks Maikol
but i hve been doing that
problem using that kind of network object is that the whole range could be access to the internet
i would like to use a netwotk object like this
object-group network INTERNET_ACCESS
network-object host X.X.X.X
network-object host Y.Y.Y.Y.
network-object host Z.Z.Z.Z
i this way it will be easy add or remove the access to specific host
but with NAT i can´t use this kind of objects unless as you said , an IP or IP range will be defined
i know that host by host , access could be allowed, but i should be write a least more than 80 lines
So. what could be an alternative way , in order to avoid , host by host acces configuration
Best regards
Miguel
05-03-2011 11:25 AM
Miguel,
If you look at the ACL on the NAT, in contains the object group, you can use the object group you mention as well. Whatever that is inside of that Object is going to be natted to the public IP in order to access the internet. In case you want to add more host, you will only need to add them on the object group.
If you have any doubts, let me know, I will be more than glad to clarify them.
Cheers
Mike
05-04-2011 11:51 AM
Mike
first my ASA is a 5540, version 8.2
I have tried your suggestion, but another problem happens, i am not an ASA expert, so i have to use ASDM software version 6.2 to do all the configs
let me explain
first i have created a network object group, and i have put inside the machines of my lan that i want to allow to internet
after i have created an access rule allowing traffic: source "my network object group" from LAN interface to ANY
on NAT rules i have use the option dynamic policy nat rule and created the following rule
source interface lan, source "my network object group" destination any, traslated to my internet interface
But the problem now is that i have lost comunication from lan zone to dmz zone , and theres no problem from outside to dmz
i have returned to my old config because many lan users needs access to DMZ ,
i can´t figure out what was the problem because i have not made any change on DMZ rules, just the Acces Rule and the NAT rule
from LAN to Outside
thanks in advance for any help or suggestion
Miguel
05-05-2011 11:41 AM
Hi
To that, please add an static self translation from inside to DMZ. Use the translated and and real addresses the same inside network. That will take precedense from the Internet one. Then you should be able to access the internet with the policy NAT and the DMZ with the static self translation.
Cheers.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: