help on Access-list command to give access to 2 host on internet

Unanswered Question
Sep 9th, 2010

Hello

I have one headquarter and 2 remote site

The headquarter is connected to each remote site with VPN connection

The user on the remote site have access on all resource on the central site (headquarter), but they  don’t have access to internet

Now it is work

I want to give access to internet for 2 user (172.25.2.10 and 172.25.2.11) at the remote site

See below the command that I am planning to add in the router 2801 on the remote 1 site

ip access-list extended remote1internet

permit ip host 172.25.2.10 0.0.0.0 172.25.0.100 0.0.0.0

permit ip host 172.25.2.11 0.0.0.0 172.25.0.100 0.0.0.0

Do I need to add any other command in the same router or in the router 2821 at the headquarter

Please help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/09/2010 - 11:21

Hello Nicanor00,

access to the public internet means:

remote site hosts IP addresses need to be translated to public ip addresses at central site.

No changes are needed at remote site router, and by the way you need to permit access to any ip address not only to router in central site

you would need

ip access-list extended remote1internet

permit ip host 172.25.2.10 0.0.0.0 any

permit ip host 172.25.2.11 0.0.0.0 any

on central site router or FW that performs NAT for IP addresses of central site you need to modify the ACL that decides what has to be translated to allow translation of specified remote site hosts.

Example for an IOS router ( to be done in central site )

ip nat inside source list 111 interface overload

! is just a placeholder for interface to the internet

in ACL 111 you need to add  lines:

! I suppose 172.25.0.0/16 is your central site / intranet you don't need to translate when going to other internal network

access-list 111 deny ip 172.25.2.10 0.0.0.1 172.25.0.0 0.0.255.255

access-list 111 permit ip host 172.25.2.10 any

access-list 111 permit ip host 172.25.2.11 any

Check configuration of internet facing router to understand how to change it to provide internet access to those two hosts.

Hope to help

Giuseppe

nicanor00 Sat, 09/11/2010 - 03:07

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Thanks for your answer

The router gateway to internet(172.25.0.4) is a small router with Nat configured

I cannot configure access-list on that router

I can configure access-list only on the remote1 router (2801) and central vpn router (2821)

Now all user can access internet

All user on remote1 should have all access on resources in central site

But I want to give access on internet in remote1 only to user 172.25.2.10, 172.25.2.11, 172.25.2.12 and 172.25.2.13

Please help

Attachment: 

Actions

This Discussion