Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

5510 allow internet access to certain IPs only

Status
Not open for further replies.
kevmullet

kevmullet

Technical User
Feb 12, 2002
56
GB
Hi I have a Cisco 5510 allowing access out to all IP addresses on the internal interface.

I would like to only allow outside access to IP addresses above 192.186.1.192, i'm sure it will have something to do with an access-list, but i cant find the specific command.

Thanks for any help
 
Sort by date Sort by votes
here is an acl that will allow your .192 host to talk to any other host. Than blocking all other hosts. This will be applied to inbound traffic on the inside interface. you can see acl hits by typing 'show access-list'. hope that helps

cheers


access-list inside-in extended permit ip host 192.186.1.192 any
access-list inside-in extended deny ip any any

access-group inside-in in interface inside
 
Upvote 0 Downvote
I would use policy nat myself

global (outside) 5 interface
nat (inside) 5 access-list Internet

access-list Internet permit ip 192.168.1.192 255.255.255.192 any
 
Upvote 0 Downvote
I would side with the ACL on the inside interface. Uses less processing power, blocks the packets closest to the source (always good practice) and unless you've added the nat-control statement you will have un-natted packets exiting the outside interface. Granted they are unroutable from the internet's POV, it just isn't tidy.

In short there are choices. Use the one that makes the most sense to you.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I have made the ACL work for this,

I have done it on the inside interface, however it only allows access for the on host 192.168.1.192.

What I need is for every IP above it, or more specifically in the subnet 192.168.1.192 255.255.255.192, access out. I dont want to have to create a massive access-list with every specific IP I want to allow out.

Is this possible or am i going to have to create a 62 line access list?

Thanks
 
Upvote 0 Downvote
Post a scrubbed config. Also turn logging on if it isnt.

logging buffered 6
logging on

If it happens during the day try to get a "sh log" when the problem occurs. Since this is happening at night you may want to enable a syslog server and see if you can get something in the logs. You should see some connection limit entries logged.

 
Upvote 0 Downvote
Apply this access-list to the inside interface:


access-list outside_access permit ip 192.168.1.192 255.255.255.192 any


Just make sure you also enable nat translations for the network, unless your doing the natting on the edge router.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
322
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
377
intel233
intel233
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
335
Johnkite
Johnkite
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
107
ADB100
ADB100
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
86
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top