cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
5
Replies

Internet Access trough ASA 5540 for especiific network object group

Miguel Ortega
Level 1
Level 1

Dear All

I have a 5540, and i am trying to allow access to internet for an especific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions,

i have tried with dinamic NAT, but that configuration ask for a specific IP o a Network range, and is not permited to configure an  object group as a source

The group is located in LAN zone, so a permission from one zone to asnother zone is needed i think, but i can allow the internet acess to that group

Is there another way to get that , different from NAT,  ?

Thanks in advance for any help

5 Replies 5

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,


You can use that network object on an access list and then define the NAT, here is how:


object-group network Internet_LAN
network-object object LAN

object network LAN
subnet 10.10.10.0 255.255.255.0


access-list Internet_Policy_NAT extended permit ip object-group Internet_LAN any 

Nat (Inside) 10 access-list Internet_LAN
global (outside) 10 x.x.x.x

That would NAT when the Internet_Lan tries to go anywhere on the outside, other networks wont hit this rule and wont be able to access the internet.

Hope this helps.

Mike
Mike

Thanks Maikol

but i hve been doing that

problem using that kind of network object is that the whole range could be access to the internet

i would like to use a netwotk object like this

object-group network INTERNET_ACCESS
network-object host X.X.X.X
network-object host  Y.Y.Y.Y.

network-object host Z.Z.Z.Z

i this way it will be easy add or remove the access to specific host

but with NAT i can´t use this kind of objects unless as you said , an IP or IP range will be defined

i know that host by host , access could be allowed, but i should be write a least more than 80 lines

So. what could be an alternative way , in order to avoid , host by host acces configuration

Best regards

Miguel

Miguel,

If you look at the ACL on the NAT, in contains the object group, you can use the object group you mention as well. Whatever that is inside of that Object is going to be natted to the public IP in order to access the internet. In case you want to add more host, you will only need to add them on the object group.

If you have any doubts, let me know, I will be more than glad to clarify them.

Cheers

Mike

Mike

Mike

first my ASA is a 5540, version 8.2

I have tried your suggestion, but another problem happens, i am not an ASA expert, so i have to use ASDM software version 6.2 to do all the configs

let me explain

first i have created a network object group, and i have put inside the machines of  my lan  that i want to allow to internet

after i have created an access rule allowing traffic:  source "my network object group"  from LAN interface to ANY

on NAT rules i have use the option dynamic policy nat rule and created the following rule

source interface lan, source "my network object group" destination any, traslated to my internet interface

But the problem now is that i have lost comunication from lan zone to dmz zone , and theres no problem from outside to dmz

i have returned to my old config because many lan users needs access to DMZ ,

i can´t figure out what was the problem because i have not made any change on DMZ rules, just the Acces Rule and the NAT rule

from LAN to Outside

thanks in advance for any help or suggestion

Miguel

Hi

To that, please add an static self translation from inside to DMZ. Use the translated and and real addresses the same inside network. That will take precedense from the Internet one. Then you should be able to access the internet with the policy NAT and the DMZ with the static self translation.

Cheers.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: