Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
1
Replies

IP which only allowed for PAT

Machi Ma
Level 1
Level 1

‎02-27-2015 12:04 AM - edited ‎03-11-2019 10:34 PM

Hello,

 

I am looking for example which allow some of the IP's belongs to INSIDE which can allow to using PAT method to access Internet.

 

With reference to URL
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1455942

It is talking about the whole 192.168.2.0/24 subnet.

-------

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:

hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
-------
 
I would like to check how should config if only allow parts of IP belongs to 192.168.2.0/24 can be PAT to internet and others will deny.  Should be need create additional ACL?
 
Thanks!
Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2015 12:13 AM

Hi,

 

You might be better of limitin the mentioned hosts from connecting to the Internet in the interface ACL rather than making a special NAT configuration that determines if a host can connect to the Internet.

 

If you want to control which host gets NATed then you could use the Manual NAT / Twice NAT configuration instead of the above Auto NAT / Network Object NAT

 

Example could look something like this

 

object-group network PAT-SOURCE-HOSTS
 network-object host <host1 ip>
 network-object host <host2 ip>
 network-object host <host3 ip>

 

nat (inside,outside) after-auto source dynamic PAT-SOURCE-HOSTS interface

 

You can then add the addresses directly under the "object-group" or remove them when needed.

 

You could naturally use small subnets instead of the host addresses in the above example if all the users are from a certain range of the subnet you mentioned. You will also have to make sure that there is no other NAT configuration on your ASA that would apply to the users.

 

The above Manual NAT / Twice NAT is at the lowest Section 3 (priority of NAT configuration) because it has "after-auto" as a part of the "nat" command.

 

Hope this helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card