ASA 5505 internet access on 1 pc only

Unanswered Question
Mar 29th, 2007
User Badges:

Hi,


can someone give me the command so that only 1 pc have an internet access? my pc is on a.a.a.a network, say a.a.a.5.


ASA 5505, firmware = asa722-14-k8.bin


here's my setup..


ip phones & 1 pc for internet-->ASA5505-->internet


access-list 101 extended permit ip a.a.a.a 255.255.255.0 any

access-list 102 extended permit ip a.a.a.a 255.255.255.0 any


nat (inside) 0 access-list 101

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1


thanks

robert




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/29/2007 - 01:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Robert


Depends on what your PC ip address is. If it is a private address you will need to nat it. If it is a public IP address you won't.


Assuming it is a private address what you can do is


nat (inside) 1 access-list 101

global (outside) 1 interface


access-list 101 permit ip host a.a.a.a any

access-list 102 permit ip host a.a.a.a any


access-group 102 in interface inside


The above config will allow just your one PC a.a.a.a to have access to the interenet.


HTH


Jon

redrobish Thu, 03/29/2007 - 01:35
User Badges:

yeah, its a private ip.


sample:

pc = 192.168.1.10


nat (inside) 1 access-list 101

nat (inside) 0 access-list 101 --for my existing vpn link

global (outside) 1 interface


access-list 101 permit ip host 192.168.1.0 any

access-list 102 permit ip host 192.168.1.0 any

access-group 102 in interface inside


right?


thanks

robert





Jon Marshall Thu, 03/29/2007 - 01:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Robert


nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Your access-list stuff is fine.


HTH


Jon

redrobish Thu, 03/29/2007 - 16:24
User Badges:

Hi Jon, im very thankful for your help but it doesn't work.


maybe its connected to the firmware? cause when i upgrade it to asa722-14-k8.bin from asa722-10-k8.bin, thats the internet was gone. The one that you suggest was really my config on asa722-10k8 firmware and its working fine but things change when i upgrade to 722-14...any more ideas?


thanks

robert

Jon Marshall Fri, 03/30/2007 - 00:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Robert


Could you send me a copy of the config you are working with minus any sensitive information.


Jon

Jon Marshall Fri, 03/30/2007 - 01:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Robert


There are a few questions from your config.


1) access-list 111 permit ip host x.x.x.x host 172.1.1.2


This is the outside interface of your pix. What is the reason for this

access-list, what are you trying to achieve with it.


2) nat (inside) 0 access-list 101


This is saying anything from 192.168.10.0/24 shoud not be natted. These addresses

are not routable so if they do go out onto the Internet they won't route back.


Could you tell me


3) Is the outside interface of the pix your connection to the internet.

4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host.


Jon



redrobish Sun, 04/01/2007 - 15:19
User Badges:

1) access-list 111 permit ip host x.x.x.x host 172.1.1.2

-there is an existing vpn connection to this so I allow only the other's side ip...this should not be affected...


2) nat (inside) 0 access-list 101


-yup, i want the whole 192.168.10.0 network to be like this cause of the existing...for security...


3) Is the outside interface of the pix your connection to the internet.

-yup, e0/0 is directly connected to the isp, outside to internet...

4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host

-that is exactly what I want to do..allow only one pc to the internet...


thanks

robert

Jon Marshall Sun, 04/01/2007 - 22:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Robert


Asssuming the host is 192.168.10.25


access-list hostonly permit ip host 192.168.10.25 any


nat (inside) 1 access-list hostonly

global (outside) 1 interface


This will NAT only the 192.168.10.25 host to the public IP address on the outside interface of your pix.


HTH


Jon

redrobish Mon, 04/02/2007 - 00:18
User Badges:

Hi Jon,


sorry to tell but still not working.


maybe its the firmware? cause it happens when I upgrade the firmware to asa722-14-k8 from asa722-10-k8.


thanks,

robert

Actions

This Discussion