cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
9
Helpful
6
Replies

how to setup NAT with ACl's/restricted access.

vgoradia
Level 1
Level 1

Old Setup: our existing setup is a 5510 with remote access vpn through a dsl link. this was done because we did not have the facility hooked into our LAN campus. now, we have the fiber in and the facility is setup on the local LAN. we want to decommission the vpn setup.

well and good.

New setup: will be about 10 internal devices (172.x.x.x) with 10 individual static NAT addresses configured on the 5510.

this way, all users on our local LAN can get to the 10 devices.

BUT, we only want certain LAN users to get to those devices. those users will have various IP addresses because their desktops are set for DHCP. so how do I control access through the 5510?

The users would not mind if an extra username/passwd box popped up whenever they tried to access the internal 10 devices.is there a way to do this?

any help would be greatly appreciated.

we're running 7.2/5.2 as our software

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Do you have a radius/tacacs server in your infrastructure. What you want is to authenticate the user on the ASA before they get access to the devices.

Attached is a link to authenticating network access with the ASA

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043431

HTH

Jon

Thanks jon,

no, we do not have a radius/tacacs server on our network.

is there another way to do this?

Also, what would be easier to setup...radius or tacacs?

we do have some spare desktops with xp or ubuntu...so would it be possible to setup radius/tacacs fairly easily? or do I need to buy licenses?

If you have a win2k or 2k3 server you can install Internet Authentication Server (IAS), it's MS'es free Radius implementation. I've set it up for both administrative access and remote vpn access. And this way, you can use active directory accounts with it as well.

Thanks srue.

one question. if I were to use a win2k server, does it have to be on the same subnet as the cisco 5510?

or can they be on different subnets.

for example, the win2k server would be in my office while the 5510 is in a different bldg on the campus (of course, there is a logical network path between my bldg and the other bldg)

Hi

No it doesn't have to be on the same subnet. As long as the ASA can route to the W2K server you should be fine.

Jon

can someone who has setup static NAT's through a 5500 series ASA with a windows 2k server based radius server please post the key commands.

this would tremendously help us in our configuration!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: