In addition to the excellent point that Paul makes I am wondering about the part of the original post that shows a single DHCP pool of addresses. If the devices are receiving their addresses via DHCP then over time it is quite possible that the two machines who you want to treat differently could have different IP addresses. How are you going to manage this? It appears to me that the objective described in the original post can not be achieved without some change in the network design.

 

HTH

 

Rick

Regarding the DHCP nevermind it...I will exclude the address I want to user as STatic to the Computers...
What confuses me are the ACLs :)

Hello Paul,

 

Lets say  Department A Germany

Department B England

 

Both points are connected through VPN p2p

192.168.1.236 and 192.168.1.222  are in England

in Germany theres the below subnet as DHCP

10.0.4.0 /24

 

I am trying now to get 15 users from there, 10.0.4.2 - 10.0.4.16 to get to those 2 hosts, without Internet though, only pass traffic through VPN and two extra hosts, to get to those hosts with Internet Though.

 

With the below ACL I can get 15 hosts to get to those 2 hosts with internet, which I want to cut them off the internet.

And get 2 extra hosts to get to 192.168.1. with internet. I think its achievable with ACL no?

 

 

crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to England
 set peer ***********
 set transform-set *************
 match address 100

 

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.4.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.4.0 0.0.0.15 host 192.168.1.236
access-list 100 permit ip host 10.0.4.20 host 192.168.1.222

access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.0.4.0 0.0.0.15 host 192.168.1.236
access-list 101 deny   ip host 10.0.4.15 host 192.168.1.222
access-list 101 permit ip 10.0.4.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server community mnemonic RW
snmp-server location Ydrogios Asfalistiki
snmp-server contact Mnemonic IT Services
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101

Maybe If I can only NAT specific hosts?

ip nat pool nat 10.0.4.17 10.0.4.20 netmask 255.255.255.0 and cut there rests so they only match the ACL 100?

It would be best to define your ACLs to specific hosts instead and while you're at it, CIDR smaller than /24. Look at the amount of hosts to determine but not any bigger, something like 0.0.0.31 for the 15 hosts and 0.0.0.3 for the 2 hosts. Remember ACLs are network security measures and if you don't subnet smaller you'll run in huge networking risks.

** Click (star) if you felt this was helpful.

thats true, but 15 hosts don't want to be Nated and have internet (only in VPN)...and 2 of them Need to have VPN site-to-site plus internet

So basically, I ll delete DHCP
I will create an Extended ACL to match it with the VPN hosts 10.0.4.0 0.0.0.31 towards the 192.168 network on the other side and then create an extended ACL to deny the VPN. Like the below?

ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended VPN-TRAFFIC
permit ip 10.0.4.0 0.0.0.15 192.168.1.0 0.0.0.255
permit ip 10.0.4.16 0.0.0.15 192.168.1.0 0.0.0.255
!
access-list 100 remark NAT
access-list 100 deny ip 10.0.4.16 0.0.0.15 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.0.4.16 0.0.0.15 any
access-list 100 remark
dialer-list 1 protocol ip permit

So in that Way the firsts 15 hosts only go through VPN, No internet...and the rest 15 hosts gets VPN and Internet. Correct?

I am excited that you diving into ACLs but make sure you understand the wildcard properly. It looks like your wildcards are only allocating the hosts and not the network and broadcast addresses, that's two extra on top of the 15 hosts, making 17 addresses.

Also, your NAT config needs adjusting; make sure all your permit statements are at the top and deny statements are at bottom. Since you have a deny at the beginning that is matched, the traffic is denied.

Take a look at URL: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html