the IP is 207.x.x.x and I have 10 PC's that have DHCP assisgned addresses but they can be excluded, reserved or Static. 192.168.1.50-.100.

OK, so assuming that this is only for outbound connection towards the cloud, and you would like to PAT it to 207.x.x.x, here is the config:

access-list nat-to-cloud permit ip 192.168.1.0 255.255.255.0 host

nat (inside) 2 access-list nat-to-cloud

global (outside) 2 207.x.x.x

Then "clear xlate" after the changes.

Hope that helps.

Do I need an access-group command also?

Jim Avitable, MCSA, CCNA, Security +

javitable@cfl.rr.com

35 Hummingbird Lane

Ormond Beach, Fl 32174

C - 386-212-1309

H - 386-677-8924

The access-list that I advise earlier is to be applied to the NAT statement.

Do you have any existing access-list applied to your inside interface? If you do, if it hasn't allowed outbound access to the Internet, then you would need to, otherwise, if it is already allowing outbound access to the internet, you don't have to add anything else.

I want to allow about 10 users to have full internet access but only allow another 10 users (static IPs) to only have access to the cloud app. Can I do that by using an IP range like 192.168.1.80-100?

config file is attached.

Thanks for your help.

Ahhh, ok, now I understand your requirement.

Let me just rephrase and see if that is the correct assumption:

- You would like a specific range of users (eg: 192.168.1.80-100) to only have access to this cloud base applications on the internet, but nothing else.

- While the rest of the users, you would like to have full internet access.

If the above assumptions are correct, here is what you can configure:

1) Let's pick a contiguous subnet so it's easier to write the access-list: say 192.168.1.80 - 192.168.1.95 (that gives you 16 addresses, with subnet of 255.255.255.240), or if you would like more addresses, you can go for 32 addresses (192.168.1.80 - 192.168.1.111).

2) Your current "inside_access_in" access-list is permitting all outbound users to the internet, so we need to configure access-list above the current "permit ip any any" for this cloud base application (it would be best if you know the port that this cloud base application uses so we can be more specific when allowing access). Again, let me assume that it uses TCP/80. Here is the example on what we need to configure:

access-list inside_access_in line 1 extended deny ip 192.168.1.80  255.255.255.240 any

access-list inside_access_in line 1 extended permit tcp 192.168.1.80  255.255.255.240 host eq 80

After you configure the above access-list in order, the bottom line will appear at the top, the top line will become the second line, and your last line will be your existing "permit ip any any" which is the correct order. If you check the output of "show access-list inside_access_in", it should be in the following order:

access-list inside_access_in extended permit tcp 192.168.1.80  255.255.255.240 host eq 80

access-list inside_access_in  extended deny ip 192.168.1.80  255.255.255.240 any

access-list inside_access_in extended permit ip any any

Hope that makes sense, and pls confirm the cloud base application ip address and port, also the internal subnet that you only want access to this cloud base app. and I can provide you with the exact commands.

BTW, if you only want 10 internal ip addresses exactly to have the access, we can also do that grouping it with object-group. Let me know exactly which IP, and i can help with the commands.

Yes you are correct in your understanding of what I need to do. We can use 192.168.1.80-192.168.1.95 as you suggested, with a subnet of 255.255.255.240.

The Application is using port 5432 for database activity and port 80 for updating.

access-list inside_access_in line 1 extended deny 192.168.1.80 255.255.255.240 any

access-list insde_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 5432

It means that it will allow access to 207.x.x.x and deny all others from that subnet.

Am I correct?   How does the use of port 80 for updating affect?

Thanks.

Entered the commands and here is the result:

Thanks,

Excellent, looks perfect to me.

'Then "clear xlate" after the changes.'

This is not technically accurate.  Depending on the version of the code he is running on the ASA.  There is a "bug" in some version of the ASA that "clear xlate" will do nothing.  A better command would be "clear local-host".

Why exactly must I do the "clear xlate" or "clear local-host" command? It seems to be working fine.

Thanks.