ASA 5505 internet access on 1 pc only

Unanswered Question
Mar 29th, 2007

Hi,

can someone give me the command so that only 1 pc have an internet access? my pc is on a.a.a.a network, say a.a.a.5.

ASA 5505, firmware = asa722-14-k8.bin

here's my setup..

ip phones & 1 pc for internet-->ASA5505-->internet

access-list 101 extended permit ip a.a.a.a 255.255.255.0 any

access-list 102 extended permit ip a.a.a.a 255.255.255.0 any

nat (inside) 0 access-list 101

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

thanks

robert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/29/2007 - 01:21

Hi Robert

Depends on what your PC ip address is. If it is a private address you will need to nat it. If it is a public IP address you won't.

Assuming it is a private address what you can do is

nat (inside) 1 access-list 101

global (outside) 1 interface

access-list 101 permit ip host a.a.a.a any

access-list 102 permit ip host a.a.a.a any

access-group 102 in interface inside

The above config will allow just your one PC a.a.a.a to have access to the interenet.

HTH

Jon

redrobish Thu, 03/29/2007 - 01:35

yeah, its a private ip.

sample:

pc = 192.168.1.10

nat (inside) 1 access-list 101

nat (inside) 0 access-list 101 --for my existing vpn link

global (outside) 1 interface

access-list 101 permit ip host 192.168.1.0 any

access-list 102 permit ip host 192.168.1.0 any

access-group 102 in interface inside

right?

thanks

robert

Jon Marshall Thu, 03/29/2007 - 01:45

Robert

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Your access-list stuff is fine.

HTH

Jon

redrobish Thu, 03/29/2007 - 16:24

Hi Jon, im very thankful for your help but it doesn't work.

maybe its connected to the firmware? cause when i upgrade it to asa722-14-k8.bin from asa722-10-k8.bin, thats the internet was gone. The one that you suggest was really my config on asa722-10k8 firmware and its working fine but things change when i upgrade to 722-14...any more ideas?

thanks

robert

Jon Marshall Fri, 03/30/2007 - 00:29

Hi Robert

Could you send me a copy of the config you are working with minus any sensitive information.

Jon

Jon Marshall Fri, 03/30/2007 - 01:17

Robert

There are a few questions from your config.

1) access-list 111 permit ip host x.x.x.x host 172.1.1.2

This is the outside interface of your pix. What is the reason for this

access-list, what are you trying to achieve with it.

2) nat (inside) 0 access-list 101

This is saying anything from 192.168.10.0/24 shoud not be natted. These addresses

are not routable so if they do go out onto the Internet they won't route back.

Could you tell me

3) Is the outside interface of the pix your connection to the internet.

4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host.

Jon

redrobish Sun, 04/01/2007 - 15:19

1) access-list 111 permit ip host x.x.x.x host 172.1.1.2

-there is an existing vpn connection to this so I allow only the other's side ip...this should not be affected...

2) nat (inside) 0 access-list 101

-yup, i want the whole 192.168.10.0 network to be like this cause of the existing...for security...

3) Is the outside interface of the pix your connection to the internet.

-yup, e0/0 is directly connected to the isp, outside to internet...

4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host

-that is exactly what I want to do..allow only one pc to the internet...

thanks

robert

Jon Marshall Sun, 04/01/2007 - 22:59

Robert

Asssuming the host is 192.168.10.25

access-list hostonly permit ip host 192.168.10.25 any

nat (inside) 1 access-list hostonly

global (outside) 1 interface

This will NAT only the 192.168.10.25 host to the public IP address on the outside interface of your pix.

HTH

Jon

redrobish Mon, 04/02/2007 - 00:18

Hi Jon,

sorry to tell but still not working.

maybe its the firmware? cause it happens when I upgrade the firmware to asa722-14-k8 from asa722-10-k8.

thanks,

robert

Actions

This Discussion