cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
6
Replies

Need help for access list problem

joel.palen
Level 1
Level 1

Cisco 2901 ISR

I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet

I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.

Anybody can help?

         DENY       10.25.0.1 – 10.25.0.255

                          10.25.1.1 – 10.25.1.255

Permit only 1 host for Internet

                10.25.7.136  255.255.255.192 ------ TMG Server

Using access-list.

( Current configuration  )

object-group network IP

description Block_IP

range 10.25.0.2 10.25.0.255

range 10.25.1.2 10.25.1.255

interface GigabitEthernet0/0

ip address 192.168.2.3 255.255.255.0

ip nat inside

ip virtual-reassembly in max-fragments 64 max-reassemblies 256

duplex auto

speed auto

interface GigabitEthernet0/1

description ### ADSL WAN Interface ###

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

interface Dialer1

description ### ADSL WAN Dialer ###

ip address negotiated

ip mtu 1492

ip nat outside

no ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxxx password 7 xxxxxxxxx

ip nat inside source list 101 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.25.0.0 255.255.0.0 192.168.2.1

access-list 101 permit ip 10.25.0.0 0.0.255.255 any

access-list 105 deny   ip object-group IP any

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

ip access-list extended 101

5 permit ip host 10.25.7.136 any

no 10

This way you'll only NAT this host an not the others so they won't be able to get to the Internet.

Regards

Alain

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I already use this command before, but it didn't work. The internet is disconnected.

Hi,

you mean other hosts can't get to Internet or this host can't ping 8.8.8.8 ?

Just make sure your clients are configured to use the proxy to get to internet and try to ping 8.8.8.8 from one of these clients and look  at the NAT table with sh ip nat translation on the router.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello,

Host will can't get internet connection

I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any

and change the configuration ....      ip access-list extended 101

                                                            5 permit ip host 10.25.7.136 any

In this case I will allow only host 10.25.7.136 but it isn't work.

No internet connection from the TMG Server.

Hi,

Does the TMG server know how to get to the internet? Has it got a default route pointing towards the router ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

TMG server

external lan 10.25.7.136 255.255.255.192

internal lan 10.25.51.10 255.255.255.0

Review Cisco Networking for a $25 gift card