Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2332
Views
0
Helpful
6
Replies

NAT Overload with ACL

Andrew White
Level 2
Level 2

‎01-16-2019 05:24 AM - edited ‎03-05-2019 11:11 AM

Hello,

 

I'm setting up a small office which has 5 small subnets and a Cisco router to the Internet, their ASA firewall has not arrived so I'm setting up the router with NAT overload.  At the moment I have 1 access list which is an 'any any' type rule and allows all subnets internet access on all ports.

 

2.) How can I give the users subnets access to TCP/80 and 443 only (172.16.10.x/24 & 172.16.11.x/24) and the server subnet (172.16.1.x/24) full access?

 

1.) Once the firewall is in I will control it from there, but I'm not sure how I will need to set the router up as this will attach to the ASAs outside after.  I will have a 0.0.0.0 0.0.0.0 (router IP) with an inside to outside NAT on the ASA as per normal, but what should I configure on the Cisco Router?

 

Thakns

Labels:
0 Helpful
6 Replies 6

luis_cordova
VIP Alumni
VIP Alumni

‎01-16-2019 05:46 AM

Hi @Andrew White,

 

2.) How can I give the users subnets access to TCP/80 and 443 only (172.16.10.x/24 & 172.16.11.x/24) and the server subnet (172.16.1.x/24) full access?

 

I recommend you configure an extended ACL to filter the ports you mention.

This ACL can be applied to an interface or subinterface on the router.

 

Regards

0 Helpful

Andrew White
Level 2
Level 2
In response to luis_cordova

‎01-16-2019 05:58 AM

Ah yes, I can use 1 Extended ACL and put all in that and apply to the NAT router and remove the standards ACL.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎01-16-2019 05:54 AM

Why not apply an outbound ACL on the routers outside interface:

!
access-list 101 permit tcp 172.16.10.0 255.255.255.0 any eq 80
access-list 101 permit tcp 172.16.10.0 255.255.255.0 any eq 443
access-list 101 permit tcp 172.16.11.0 255.255.255.0 any eq 80
access-list 101 permit tcp 172.16.11.0 255.255.255.0 any eq 443
access-list 101 deny ip 172.16.10.0 255.255.255.0 any
access-list 101 deny ip 172.16.11.0 255.255.255.0 any
access-list 101 permit ip 172.16.1.0 255.255.255.0 any
!
int x/x
  desc OUTSIDE
  ip access-group 101 out
!



2) One you ASA arrives and is connected remove the NAT and the above ACL. The router will need a default route directed to the ISP next-hop IP, and a second route directed at the ASA outside interface for your private inside subnets. Ideally you would run a dynamic routing protocol between the two so that any new subnets added to the ASA will be known to the router.

 

cheers,

Seb.

0 Helpful

Georg Pauwen
VIP
VIP

‎01-16-2019 05:55 AM

Hello,

 

something like the below should work:

 

access-list 101 permit ip 172.16.10.0 0.0.0.255 any eq 80
access-list 101 permit ip 172.16.10.0 0.0.0.255 any eq 443
access-list 101 permit ip 172.16.11.0 0.0.0.255 any eq 80
access-list 101 permit ip 172.16.11.0 0.0.0.255 any eq 443
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload

0 Helpful

Georg Pauwen
VIP
VIP

‎01-16-2019 05:59 AM

Hello,

 

on the router, basically alll you would need is a static route pointing to the inside interface of the ASA. All NAT would be configured on the ASA...

0 Helpful

Andrew White
Level 2
Level 2
In response to Georg Pauwen

‎01-16-2019 07:25 AM - edited ‎01-16-2019 07:28 AM

Thanks all - really appreciate it.

 

On the Router and ASA I will be running OSPF (area 0)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card