01-09-2008 12:50 AM - edited 03-11-2019 04:45 AM
I have two subnets. I want to make few users on these subnets to browse the internet, Not all users. I have made an access-list
access-list browsing extended permit ip host 172.28.33.30 any
access-list browsing extended permit ip host 172.28.86.0 any
nat (inside) 6 access-list browsing
global (outside) 6 interface
I am not able to see hit count and not able any entry in xlate or conn.
Please help me out. This is simply configuation and dont know where i m doing mistake.
01-09-2008 01:01 AM
Hi
Can you post the other NAT configurations.
Also 172.28.86.0 ? - is that correct ?
Jon
01-09-2008 01:16 AM
access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0
access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0
access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 6 access-list browsing
nat (inside) 3 172.28.32.0 255.255.255.0
nat (inside) 4 172.28.33.0 255.255.255.0
nat (inside) 5 172.28.80.0 255.255.255.0
nat (inside) 6 172.28.86.0 255.255.255.0
nat (inside) 1 172.28.90.0 255.255.255.0
nat (inside) 2 172.28.92.0 255.255.255.0
nat (edn) 1 172.29.0.0 255.255.255.0
nat (edn) 2 172.29.2.0 255.255.255.0
nat (edn) 6 172.31.205.0 255.255.255.0
nat (edn) 5 10.0.0.0 255.255.224.0
yes 172.28.86.0 255.255.255.0 is a subnet. I want to make only 172.28.86.10 can browse the internet.
Now internet is working on 172.28.86.10 but my making the following nat configuation.
nat (inside) 6 172.28.86.0 255.255.255.0
global(outside) 6 interface
but when i remove this nat configuation and try to configure it with access-list in nat. it was not working.
01-09-2008 03:44 AM
Hi
This is because nat exemption with an access-list takes precedence over nat with an access-list so you cannot do it this way.
You will have to do it with the second type of NAT statement you have used rather than an access-list.
Jon
01-09-2008 05:23 AM
The access list you have is for address translation. You have to create an access list and apply it to the inside interface inbound.
In the access list first allow the host you want to give access and then deny everything else. You could restrict the users for certain ports if you want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide