09-08-2013 03:16 AM - edited 03-11-2019 07:35 PM
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3
09-08-2013 03:42 AM
Hi,
ip access-list extended 101
5 permit ip host 10.25.7.136 any
no 10
This way you'll only NAT this host an not the others so they won't be able to get to the Internet.
Regards
Alain
Regards
Alain
Don't forget to rate helpful posts.
09-08-2013 04:09 AM
I already use this command before, but it didn't work. The internet is disconnected.
09-09-2013 01:26 AM
Hi,
you mean other hosts can't get to Internet or this host can't ping 8.8.8.8 ?
Just make sure your clients are configured to use the proxy to get to internet and try to ping 8.8.8.8 from one of these clients and look at the NAT table with sh ip nat translation on the router.
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 03:39 AM
Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server.
09-09-2013 07:00 AM
Hi,
Does the TMG server know how to get to the internet? Has it got a default route pointing towards the router ?
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 09:33 AM
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3
TMG server
external lan 10.25.7.136 255.255.255.192
internal lan 10.25.51.10 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide