05-23-2013 10:36 PM - edited 03-04-2019 07:59 PM
Hi,
I have Router 2800 series Global nating is configured on it.
ip nat inside source list 111 interface Dialer1 overload
!
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
My object is that i want give internet access only for few users ip E.g IPs addresses from range
192.168.1.0-10 can acess intenet access other all are deny.How i do this with ACL .
Solved! Go to Solution.
05-23-2013 11:27 PM
no, that won't work as there is no possibility to configure an IP-range in an access-list-entry. That can only be achieved through an object-group.
Another way is to allign the range of permitted PCs on a subnet-border (192.168.1.1-192.168.1.15). Then you can specify that with one line in the ACL:
access-list ext internet_control
permit ip 192.168.1.0 0.0.0.15 any
deny ip any any
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-23-2013 11:06 PM
You shouldn't use NAT for that. NAT is an addressing-function and not a security-function.
Better place an ACL in the traffic-path to filter the traffic which can be sent towards the internet and let your NAT-config untouched:
object-group network INTERNET-PCS
range 192.168.1.1 192.168.1.10
!
ip access-list extended INSIDE-IN
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip object-group INTERNET-PCS any
deny ip any any
!
int fa 0/0
description inside interface
ip access-group INSIDE-IN in
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-23-2013 11:06 PM
Duplicate posts.
05-23-2013 11:13 PM
Hi,
Is following one is correct.
int fa 0/0
ip access-group internal_control in
access-list internet_control permit IP 192.168.0.-10 0.0.0.255
access-list internet_control deny IP any any.
05-23-2013 11:26 PM
Hi,
No the syntax is incorrect, you'll have to use the object group feature like Karsten showed you or if it is not available on your IOS you'll have to use multiple entries in your ACL to match the hosts .1-.10
Regards
Alain
Don't forget to rate helpful posts.
05-23-2013 11:27 PM
no, that won't work as there is no possibility to configure an IP-range in an access-list-entry. That can only be achieved through an object-group.
Another way is to allign the range of permitted PCs on a subnet-border (192.168.1.1-192.168.1.15). Then you can specify that with one line in the ACL:
access-list ext internet_control
permit ip 192.168.1.0 0.0.0.15 any
deny ip any any
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-23-2013 11:30 PM
Hi,
Thanks
I want to study object-group ACLs in detail can you please refer a any video tutorial or any detailed guide.
05-23-2013 11:33 PM
Hi,
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide