03-29-2007 01:06 AM - edited 03-05-2019 03:10 PM
Hi,
can someone give me the command so that only 1 pc have an internet access? my pc is on a.a.a.a network, say a.a.a.5.
ASA 5505, firmware = asa722-14-k8.bin
here's my setup..
ip phones & 1 pc for internet-->ASA5505-->internet
access-list 101 extended permit ip a.a.a.a 255.255.255.0 any
access-list 102 extended permit ip a.a.a.a 255.255.255.0 any
nat (inside) 0 access-list 101
access-group 111 in interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
thanks
robert
03-29-2007 01:21 AM
Hi Robert
Depends on what your PC ip address is. If it is a private address you will need to nat it. If it is a public IP address you won't.
Assuming it is a private address what you can do is
nat (inside) 1 access-list 101
global (outside) 1 interface
access-list 101 permit ip host a.a.a.a any
access-list 102 permit ip host a.a.a.a any
access-group 102 in interface inside
The above config will allow just your one PC a.a.a.a to have access to the interenet.
HTH
Jon
03-29-2007 01:35 AM
yeah, its a private ip.
sample:
pc = 192.168.1.10
nat (inside) 1 access-list 101
nat (inside) 0 access-list 101 --for my existing vpn link
global (outside) 1 interface
access-list 101 permit ip host 192.168.1.0 any
access-list 102 permit ip host 192.168.1.0 any
access-group 102 in interface inside
right?
thanks
robert
03-29-2007 01:45 AM
Robert
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Your access-list stuff is fine.
HTH
Jon
03-29-2007 04:24 PM
Hi Jon, im very thankful for your help but it doesn't work.
maybe its connected to the firmware? cause when i upgrade it to asa722-14-k8.bin from asa722-10-k8.bin, thats the internet was gone. The one that you suggest was really my config on asa722-10k8 firmware and its working fine but things change when i upgrade to 722-14...any more ideas?
thanks
robert
03-30-2007 12:29 AM
Hi Robert
Could you send me a copy of the config you are working with minus any sensitive information.
Jon
03-30-2007 12:43 AM
03-30-2007 01:17 AM
Robert
There are a few questions from your config.
1) access-list 111 permit ip host x.x.x.x host 172.1.1.2
This is the outside interface of your pix. What is the reason for this
access-list, what are you trying to achieve with it.
2) nat (inside) 0 access-list 101
This is saying anything from 192.168.10.0/24 shoud not be natted. These addresses
are not routable so if they do go out onto the Internet they won't route back.
Could you tell me
3) Is the outside interface of the pix your connection to the internet.
4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host.
Jon
04-01-2007 03:19 PM
1) access-list 111 permit ip host x.x.x.x host 172.1.1.2
-there is an existing vpn connection to this so I allow only the other's side ip...this should not be affected...
2) nat (inside) 0 access-list 101
-yup, i want the whole 192.168.10.0 network to be like this cause of the existing...for security...
3) Is the outside interface of the pix your connection to the internet.
-yup, e0/0 is directly connected to the isp, outside to internet...
4) Do you want to stop all the 192.168.10.0/24 network from accessing the internet except one particular host
-that is exactly what I want to do..allow only one pc to the internet...
thanks
robert
04-01-2007 10:59 PM
Robert
Asssuming the host is 192.168.10.25
access-list hostonly permit ip host 192.168.10.25 any
nat (inside) 1 access-list hostonly
global (outside) 1 interface
This will NAT only the 192.168.10.25 host to the public IP address on the outside interface of your pix.
HTH
Jon
04-02-2007 12:18 AM
Hi Jon,
sorry to tell but still not working.
maybe its the firmware? cause it happens when I upgrade the firmware to asa722-14-k8 from asa722-10-k8.
thanks,
robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: