help on Access-list command to give access to 2 host on internet

Unanswered Question
Sep 9th, 2010
User Badges:


I have one headquarter and 2 remote site

The headquarter is connected to each remote site with VPN connection

The user on the remote site have access on all resource on the central site (headquarter), but they  don’t have access to internet

Now it is work

I want to give access to internet for 2 user ( and at the remote site

See below the command that I am planning to add in the router 2801 on the remote 1 site

ip access-list extended remote1internet

permit ip host

permit ip host

Do I need to add any other command in the same router or in the router 2821 at the headquarter

Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 09/09/2010 - 11:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nicanor00,

access to the public internet means:

remote site hosts IP addresses need to be translated to public ip addresses at central site.

No changes are needed at remote site router, and by the way you need to permit access to any ip address not only to router in central site

you would need

ip access-list extended remote1internet

permit ip host any

permit ip host any

on central site router or FW that performs NAT for IP addresses of central site you need to modify the ACL that decides what has to be translated to allow translation of specified remote site hosts.

Example for an IOS router ( to be done in central site )

ip nat inside source list 111 interface overload

! is just a placeholder for interface to the internet

in ACL 111 you need to add  lines:

! I suppose is your central site / intranet you don't need to translate when going to other internal network

access-list 111 deny ip

access-list 111 permit ip host any

access-list 111 permit ip host any

Check configuration of internet facing router to understand how to change it to provide internet access to those two hosts.

Hope to help


nicanor00 Sat, 09/11/2010 - 03:07
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Thanks for your answer

The router gateway to internet( is a small router with Nat configured

I cannot configure access-list on that router

I can configure access-list only on the remote1 router (2801) and central vpn router (2821)

Now all user can access internet

All user on remote1 should have all access on resources in central site

But I want to give access on internet in remote1 only to user,, and

Please help

nicanor00 Mon, 09/13/2010 - 02:51
User Badges:


Please somebody can help ?

Thanks in advance


This Discussion