Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Nat or ACL

Which is the better to deny certain ip addresses on the inside interface access to the internet:

1. Do not setup the specific ip adresses with NAT rules.

2. Create an ACL to deny access for the specific network addresses.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Nat or ACL

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

4 REPLIES
New Member

Re: ASA Nat or ACL

Hi, here i would suggest you to create an access-list or you can go by making AAA Server.

Re: ASA Nat or ACL

I would have a different approach.

You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.

example

object-group network Subnet_20.20.20.0

description: Outbound_Internet

network-object 20.20.20.20 255.255.255.255

network-object 20.20.20.21 255.255.255.255

and so on ..

create a single access list allowing outbound internet access

access-list inside_access_in permit ip object-group Subnet_20.20.20.0 any

access-group inside_access_in in interface inside

or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.

HTH

Jorge

New Member

Re: ASA Nat or ACL

yeah you can...

New Member

Re: ASA Nat or ACL

Thanks Jorge - I had been using Nat statements to permit/deny ip access but while at first these were quite simple as requirements have changed over time the list has grown and looks messy. To keep the NAT statement simple I had even considered changing ip addresses of devices but unfortunately this isnt feasible.

I like your solution as it will provide a single location to maintain all internet access from.

I guess it will also alert me to any denied devices that may be trying to access the internet.

While not a problem for me is there any potential impact on performance using acls over omitting addresses from NAT statements?

211
Views
0
Helpful
4
Replies