02-09-2011 07:55 PM - edited 03-11-2019 12:48 PM
I havae an ASA 5505 and have a need to keep a range of IP addresses pointed to cloud based app. Is there a way to control where they can go on the net using ACL's or some other method?
Thanks.
Solved! Go to Solution.
02-17-2011 03:04 PM
Correct...
You can add the following for port 80 after adding the other 2 lines advised earlier:
access-list inside_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 80
For confirmation, once you have configured all the access-list lines, please feel free to share the output of "show access-list inside_access_in" to double confirm.
02-09-2011 07:58 PM
Yes, you can, using the NAT with access-list.
Can you share more information on the cloup app ip addresses, and also which internal subnet you would like to NAT to a specific IP Address when traffic is destined to the cloud application, and what IP Address would you like to NAT it to?
02-10-2011 03:43 PM
the IP is 207.x.x.x and I have 10 PC's that have DHCP assisgned addresses but they can be excluded, reserved or Static. 192.168.1.50-.100.
02-10-2011 05:40 PM
OK, so assuming that this is only for outbound connection towards the cloud, and you would like to PAT it to 207.x.x.x, here is the config:
access-list nat-to-cloud permit ip 192.168.1.0 255.255.255.0 host
nat (inside) 2 access-list nat-to-cloud
global (outside) 2 207.x.x.x
Then "clear xlate" after the changes.
Hope that helps.
02-10-2011 07:10 PM
Do I need an access-group command also?
Jim Avitable, MCSA, CCNA, Security +
javitable@cfl.rr.com
35 Hummingbird Lane
Ormond Beach, Fl 32174
C - 386-212-1309
H - 386-677-8924
02-10-2011 07:14 PM
The access-list that I advise earlier is to be applied to the NAT statement.
Do you have any existing access-list applied to your inside interface? If you do, if it hasn't allowed outbound access to the Internet, then you would need to, otherwise, if it is already allowing outbound access to the internet, you don't have to add anything else.
02-16-2011 08:26 AM
02-16-2011 03:18 PM
Ahhh, ok, now I understand your requirement.
Let me just rephrase and see if that is the correct assumption:
- You would like a specific range of users (eg: 192.168.1.80-100) to only have access to this cloud base applications on the internet, but nothing else.
- While the rest of the users, you would like to have full internet access.
If the above assumptions are correct, here is what you can configure:
1) Let's pick a contiguous subnet so it's easier to write the access-list: say 192.168.1.80 - 192.168.1.95 (that gives you 16 addresses, with subnet of 255.255.255.240), or if you would like more addresses, you can go for 32 addresses (192.168.1.80 - 192.168.1.111).
2) Your current "inside_access_in" access-list is permitting all outbound users to the internet, so we need to configure access-list above the current "permit ip any any" for this cloud base application (it would be best if you know the port that this cloud base application uses so we can be more specific when allowing access). Again, let me assume that it uses TCP/80. Here is the example on what we need to configure:
access-list inside_access_in line 1 extended deny ip 192.168.1.80 255.255.255.240 any
access-list inside_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host
After you configure the above access-list in order, the bottom line will appear at the top, the top line will become the second line, and your last line will be your existing "permit ip any any" which is the correct order. If you check the output of "show access-list inside_access_in", it should be in the following order:
access-list inside_access_in extended permit tcp 192.168.1.80 255.255.255.240 host
access-list inside_access_in extended deny ip 192.168.1.80 255.255.255.240 any
access-list inside_access_in extended permit ip any any
Hope that makes sense, and pls confirm the cloud base application ip address and port, also the internal subnet that you only want access to this cloud base app. and I can provide you with the exact commands.
02-16-2011 03:20 PM
BTW, if you only want 10 internal ip addresses exactly to have the access, we can also do that grouping it with object-group. Let me know exactly which IP, and i can help with the commands.
02-17-2011 09:58 AM
Yes you are correct in your understanding of what I need to do. We can use 192.168.1.80-192.168.1.95 as you suggested, with a subnet of 255.255.255.240.
The Application is using port 5432 for database activity and port 80 for updating.
access-list inside_access_in line 1 extended deny 192.168.1.80 255.255.255.240 any
access-list insde_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 5432
It means that it will allow access to 207.x.x.x and deny all others from that subnet.
Am I correct? How does the use of port 80 for updating affect?
Thanks.
02-17-2011 03:04 PM
Correct...
You can add the following for port 80 after adding the other 2 lines advised earlier:
access-list inside_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 80
For confirmation, once you have configured all the access-list lines, please feel free to share the output of "show access-list inside_access_in" to double confirm.
02-21-2011 08:55 AM
02-21-2011 02:23 PM
Excellent, looks perfect to me.
02-21-2011 04:40 PM
'Then "clear xlate" after the changes.'
This is not technically accurate. Depending on the version of the code he is running on the ASA. There is a "bug" in some version of the ASA that "clear xlate" will do nothing. A better command would be "clear local-host".
02-22-2011 06:47 PM
Why exactly must I do the "clear xlate" or "clear local-host" command? It seems to be working fine.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide