Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
4
Replies

ASA Nat or ACL

Go to solution
sjones1966
Level 1
Level 1

‎07-12-2008 12:30 PM - edited ‎03-11-2019 06:13 AM

Which is the better to deny certain ip addresses on the inside interface access to the internet:

1. Do not setup the specific ip adresses with NAT rules.

2. Create an ACL to deny access for the specific network addresses.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎07-12-2008 04:35 PM

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ray_stone
Level 1
Level 1

‎07-12-2008 04:32 PM

Hi, here i would suggest you to create an access-list or you can go by making AAA Server.

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎07-12-2008 04:35 PM

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-12-2008 04:42 PM

yeah you can...

0 Helpful

Go to solution
sjones1966
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-12-2008 06:19 PM

Thanks Jorge - I had been using Nat statements to permit/deny ip access but while at first these were quite simple as requirements have changed over time the list has grown and looks messy. To keep the NAT statement simple I had even considered changing ip addresses of devices but unfortunately this isnt feasible.

I like your solution as it will provide a single location to maintain all internet access from.

I guess it will also alert me to any denied devices that may be trying to access the internet.

While not a problem for me is there any potential impact on performance using acls over omitting addresses from NAT statements?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card