cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
0
Helpful
7
Replies

NATing on router 2800 series

junaid haroon
Beginner
Beginner

Hi,

I have Router 2800 series Global nating is configured on it.

ip nat inside source list 111 interface Dialer1 overload

!

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

My object is that i want give internet access only for few users ip E.g  IPs addresses from range

192.168.1.0-10 can acess intenet access other all are deny.How i do this with ACL .

1 Accepted Solution

Accepted Solutions

no, that won't work as there is no possibility to configure an IP-range in an access-list-entry. That can only be achieved through an object-group.

Another way is to allign the range of permitted PCs on a subnet-border (192.168.1.1-192.168.1.15). Then you can specify that with one line in the ACL:

access-list ext internet_control

  permit ip 192.168.1.0 0.0.0.15 any

  deny ip any any

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

7 Replies 7

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

You shouldn't use NAT for that. NAT is an addressing-function and not a security-function.

Better place an ACL in the traffic-path to filter the traffic which can be sent towards the internet and let your NAT-config untouched:

object-group network INTERNET-PCS

  range 192.168.1.1 192.168.1.10

!

ip access-list extended INSIDE-IN

  permit ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.0.255

  permit ip object-group INTERNET-PCS any

  deny ip any any

!

int fa 0/0

  description inside interface

  ip access-group INSIDE-IN in

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

Duplicate posts. 

Hi,

Is following one is correct.

int fa 0/0

ip access-group internal_control in

access-list internet_control permit IP 192.168.0.-10 0.0.0.255

access-list internet_control deny IP any any.

Hi,

No the syntax is incorrect, you'll have to use the object group feature like Karsten showed you or if it is not available on your IOS you'll have to use multiple entries in your ACL to match the hosts .1-.10

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

no, that won't work as there is no possibility to configure an IP-range in an access-list-entry. That can only be achieved through an object-group.

Another way is to allign the range of permitted PCs on a subnet-border (192.168.1.1-192.168.1.15). Then you can specify that with one line in the ACL:

access-list ext internet_control

  permit ip 192.168.1.0 0.0.0.15 any

  deny ip any any

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi,

Thanks

I want to study object-group ACLs in detail can you please refer a any video tutorial or any detailed guide.

Hi,

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-object-group-acl.html

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers