how to setup NAT with ACl's/restricted access.

Unanswered Question
Aug 14th, 2007

Old Setup: our existing setup is a 5510 with remote access vpn through a dsl link. this was done because we did not have the facility hooked into our LAN campus. now, we have the fiber in and the facility is setup on the local LAN. we want to decommission the vpn setup.

well and good.

New setup: will be about 10 internal devices (172.x.x.x) with 10 individual static NAT addresses configured on the 5510.

this way, all users on our local LAN can get to the 10 devices.

BUT, we only want certain LAN users to get to those devices. those users will have various IP addresses because their desktops are set for DHCP. so how do I control access through the 5510?

The users would not mind if an extra username/passwd box popped up whenever they tried to access the internal 10 there a way to do this?

any help would be greatly appreciated.

we're running 7.2/5.2 as our software

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
vgoradia Tue, 08/21/2007 - 07:45

Thanks jon,

no, we do not have a radius/tacacs server on our network.

is there another way to do this?

Also, what would be easier to setup...radius or tacacs?

we do have some spare desktops with xp or would it be possible to setup radius/tacacs fairly easily? or do I need to buy licenses?

srue Tue, 08/21/2007 - 09:56

If you have a win2k or 2k3 server you can install Internet Authentication Server (IAS), it's MS'es free Radius implementation. I've set it up for both administrative access and remote vpn access. And this way, you can use active directory accounts with it as well.

vgoradia Tue, 08/21/2007 - 10:53

Thanks srue.

one question. if I were to use a win2k server, does it have to be on the same subnet as the cisco 5510?

or can they be on different subnets.

for example, the win2k server would be in my office while the 5510 is in a different bldg on the campus (of course, there is a logical network path between my bldg and the other bldg)

Jon Marshall Tue, 08/21/2007 - 11:57


No it doesn't have to be on the same subnet. As long as the ASA can route to the W2K server you should be fine.


vgoradia Thu, 08/23/2007 - 12:04

can someone who has setup static NAT's through a 5500 series ASA with a windows 2k server based radius server please post the key commands.

this would tremendously help us in our configuration!


This Discussion