Re: Access-list

richmorrow624 · ‎07-25-2006

I have a situation where an external company wants to NAT 6 of our addresses on their network for access to a server.

We do not want them to have access to anything else.

Is it possible to do this with an access list?

Fo example, if they wanted the addresses:

10.10.57.120 - 125 on this subnet

and everyone else is on the same subnet.

This company will need access to a server on the same subnet and a printer.

We do not want them to get to anything else.

What would be the best way to do this?

thomuff · ‎07-25-2006

How is this company connecting to your network? I think this would help in determining where you would have to place the access list. Could you provide a diagram or an explanation of the connectivity?

Could you connect them via a DMZ interface and limit access using a Firewall?

richmorrow624 · ‎07-25-2006

They are actually at a remote site (which is part of our company, the remote site also has our users) and have their own connection into the building (not sure how).

The remote site is connecting to the main site via MPLS.

They will also need to access a server at the main site, (in addition to a server and printer at remote site)so they will be just like normal users as far as routing goes.

They are going to do the NATing on their router.

As far as what I have to do is just isolate those 6 addresses from everything other than what they need to get to.

I have extra ethernet ports if needed, but not sure how I could use if on the same subnet.

sundar.palaniappan · ‎07-25-2006

Write an ACL similar to the one noted below and apply it outbound on the interface connecting to the MPLS network at the remote site. Alternatively, you could apply the ACL in the inward direction on the router at the main site.

access-list 100 permit tcp 10.10.57.120 0.0.0.3 host (server_ip) eq (port_#)

access-list 100 permit tcp 10.10.57.124 0.0.0.1 host (server_ip) eq (port_#)

access-list 100 deny ip 10.10.57.120 0.0.0.3 any

access-list 100 deny ip 10.10.57.124 0.0.0.1 any

access-list 100 permit ip any any

HTH,

Sundar

richmorrow624 · ‎07-25-2006

Thanks,

Why didn't I think of that?

richmorrow624 · ‎07-25-2006

Will this access-list still allow everyone else in the same subnet access everything per normal?

ndarnell · ‎07-26-2006

If it's only six addresses wouldn't it be easier just to use host specific entries

permit ip host 10.10.57.20 eq

deny ip host 10.10.57.20 any

create these entries for each nat address then at the end

permit ip any any

This will restrict the natted addresses but will allow th rest of the subnet unrestricted access.

HTH

N

sundar.palaniappan · ‎07-26-2006

Yes, it will. What this ACL will do is allow the 6 hosts to access the server and deny these hosts access to everything else on your network + allow all other hosts access to everything on your network. Someone mentioned creating 6 host entries which isn't needed as this ACL achieves the task in fewer entries and is the optimal configuration.

Let us know if you have any other concerns.

-Sundar

richmorrow624 · ‎07-27-2006

The other client wants to connect his router to either my router or switch.

Would it be best to create a 30 bit network and connect him that way?

Is there any way to configure a ethernet port on my router in the same subnet as one already configured on that router?

sundar.palaniappan · ‎07-27-2006

If there's one PC that wants to connect to your network then you can configure the interface with a 30-bit mask and enable network access. Make sure that subnet gets advertised to other routers in your domain either via a routing protocol or static route. As far as your second question is concerned, you cannot assign a overlapping address to another interface on the same router.

HTH,

Sundar