ASA Nat or ACL

Answered Question
Jul 12th, 2008
User Badges:

Which is the better to deny certain ip addresses on the inside interface access to the internet:


1. Do not setup the specific ip adresses with NAT rules.


2. Create an ACL to deny access for the specific network addresses.




Correct Answer by JORGE RODRIGUEZ about 8 years 11 months ago

I would have a different approach.


You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.


example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..



create a single access list allowing outbound internet access


access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside


or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.



HTH

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ray_stone Sat, 07/12/2008 - 16:32
User Badges:

Hi, here i would suggest you to create an access-list or you can go by making AAA Server.

Correct Answer
JORGE RODRIGUEZ Sat, 07/12/2008 - 16:35
User Badges:
  • Green, 3000 points or more

I would have a different approach.


You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.


example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..



create a single access list allowing outbound internet access


access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside


or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.



HTH

Jorge

sjones1966 Sat, 07/12/2008 - 18:19
User Badges:

Thanks Jorge - I had been using Nat statements to permit/deny ip access but while at first these were quite simple as requirements have changed over time the list has grown and looks messy. To keep the NAT statement simple I had even considered changing ip addresses of devices but unfortunately this isnt feasible.


I like your solution as it will provide a single location to maintain all internet access from.


I guess it will also alert me to any denied devices that may be trying to access the internet.


While not a problem for me is there any potential impact on performance using acls over omitting addresses from NAT statements?

Actions

This Discussion