ASA Nat or ACL

Answered Question
Jul 12th, 2008

Which is the better to deny certain ip addresses on the inside interface access to the internet:

1. Do not setup the specific ip adresses with NAT rules.

2. Create an ACL to deny access for the specific network addresses.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 4 months ago

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ray_stone Sat, 07/12/2008 - 16:32

Hi, here i would suggest you to create an access-list or you can go by making AAA Server.

Correct Answer
JORGE RODRIGUEZ Sat, 07/12/2008 - 16:35

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

sjones1966 Sat, 07/12/2008 - 18:19

Thanks Jorge - I had been using Nat statements to permit/deny ip access but while at first these were quite simple as requirements have changed over time the list has grown and looks messy. To keep the NAT statement simple I had even considered changing ip addresses of devices but unfortunately this isnt feasible.

I like your solution as it will provide a single location to maintain all internet access from.

I guess it will also alert me to any denied devices that may be trying to access the internet.

While not a problem for me is there any potential impact on performance using acls over omitting addresses from NAT statements?

Actions

This Discussion