Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
2
Replies

NAT question one outside address permited to all inside addresses

Go to solution
john.wright
Level 3
Level 3

‎10-31-2013 08:14 AM - edited ‎03-11-2019 07:58 PM

       What is the proper config to allow a single outside addr access to every device to multiple ports on an inside network?

We have a vendor that supports our access points and other wifi related devices at one of our remotes sites.

The only subnet in use at this site is the inside network with subnet 192.168.223.0/24

I am hopping I do not need to create a static entry for every device and every port because there are a lot!

This is what I have in the 5505 ios 8.2 to allow them to access.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.223.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 100.100.100.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 1

route inside 192.168.223.0 255.255.255.0 192.168.223.254 1

             name 99.99.99.99 vendor

access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended deny ip host vendor host 192.168.223.251

access-list outside_access_in_1 extended permit tcp host vendor any object-group xxx
access-list outside_access_in_1 extended permit udp host vendor any object-group xxx

global (outside) 1 100.100.100.3 netmask 255.255.255.0
nat (inside) 1 192.168.223.0 255.255.255.0

access-group outside_access_in_1 in interface outside

None of the inside devices need to initiate access to go outside. All of the traffic these inside devices generate goes to the 192.168.223.251 device which is a server with dual connected NICs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 08:42 AM

Hi,

If the Vendor doesnt not have any existing connection to your network and wants to connect to your internal network devices through the Internet then every device would need a public IP address. But this isnt really an option with so many devices.

I would suggest that you either provide the Vendor access to your network through a VPN Client connection or better yet configure a L2L VPN connection between your site and the Vendor site.

This would enable the Vendor to connect to your devices with their actual IP addresses.

You could control the Vendor access either with VPN Filter ACL specific to their VPN connection or use an interface ACL to control this traffic provided that some other setting were also changed.

But as I said, if the Vendor is attempting to connect through the Internet without any VPN connection then every device would needs its own public IP address OR you would have to have a DMZ server to which the Vendor connects and the Vendor would have limited access through the DMZ Server to the devices required.

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 08:42 AM

Hi,

If the Vendor doesnt not have any existing connection to your network and wants to connect to your internal network devices through the Internet then every device would need a public IP address. But this isnt really an option with so many devices.

I would suggest that you either provide the Vendor access to your network through a VPN Client connection or better yet configure a L2L VPN connection between your site and the Vendor site.

This would enable the Vendor to connect to your devices with their actual IP addresses.

You could control the Vendor access either with VPN Filter ACL specific to their VPN connection or use an interface ACL to control this traffic provided that some other setting were also changed.

But as I said, if the Vendor is attempting to connect through the Internet without any VPN connection then every device would needs its own public IP address OR you would have to have a DMZ server to which the Vendor connects and the Vendor would have limited access through the DMZ Server to the devices required.

Hope this helps

- Jouni

0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to Jouni Forss

‎10-31-2013 12:05 PM

Jouni

Thanks for the response.

I think the VPN tunnel is the best idea.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card