01-16-2019 05:24 AM - edited 03-05-2019 11:11 AM
Hello,
I'm setting up a small office which has 5 small subnets and a Cisco router to the Internet, their ASA firewall has not arrived so I'm setting up the router with NAT overload. At the moment I have 1 access list which is an 'any any' type rule and allows all subnets internet access on all ports.
2.) How can I give the users subnets access to TCP/80 and 443 only (172.16.10.x/24 & 172.16.11.x/24) and the server subnet (172.16.1.x/24) full access?
1.) Once the firewall is in I will control it from there, but I'm not sure how I will need to set the router up as this will attach to the ASAs outside after. I will have a 0.0.0.0 0.0.0.0 (router IP) with an inside to outside NAT on the ASA as per normal, but what should I configure on the Cisco Router?
Thakns
01-16-2019 05:46 AM
Hi @Andrew White,
2.) How can I give the users subnets access to TCP/80 and 443 only (172.16.10.x/24 & 172.16.11.x/24) and the server subnet (172.16.1.x/24) full access?
I recommend you configure an extended ACL to filter the ports you mention.
This ACL can be applied to an interface or subinterface on the router.
Regards
01-16-2019 05:58 AM
Ah yes, I can use 1 Extended ACL and put all in that and apply to the NAT router and remove the standards ACL.
01-16-2019 05:54 AM
Why not apply an outbound ACL on the routers outside interface:
! access-list 101 permit tcp 172.16.10.0 255.255.255.0 any eq 80 access-list 101 permit tcp 172.16.10.0 255.255.255.0 any eq 443 access-list 101 permit tcp 172.16.11.0 255.255.255.0 any eq 80 access-list 101 permit tcp 172.16.11.0 255.255.255.0 any eq 443 access-list 101 deny ip 172.16.10.0 255.255.255.0 any access-list 101 deny ip 172.16.11.0 255.255.255.0 any access-list 101 permit ip 172.16.1.0 255.255.255.0 any ! int x/x desc OUTSIDE ip access-group 101 out !
2) One you ASA arrives and is connected remove the NAT and the above ACL. The router will need a default route directed to the ISP next-hop IP, and a second route directed at the ASA outside interface for your private inside subnets. Ideally you would run a dynamic routing protocol between the two so that any new subnets added to the ASA will be known to the router.
cheers,
Seb.
01-16-2019 05:55 AM
Hello,
something like the below should work:
access-list 101 permit ip 172.16.10.0 0.0.0.255 any eq 80
access-list 101 permit ip 172.16.10.0 0.0.0.255 any eq 443
access-list 101 permit ip 172.16.11.0 0.0.0.255 any eq 80
access-list 101 permit ip 172.16.11.0 0.0.0.255 any eq 443
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
01-16-2019 05:59 AM
Hello,
on the router, basically alll you would need is a static route pointing to the inside interface of the ASA. All NAT would be configured on the ASA...
01-16-2019 07:25 AM - edited 01-16-2019 07:28 AM
Thanks all - really appreciate it.
On the Router and ASA I will be running OSPF (area 0)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide