Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT question one outside address permited to all inside addresses

       What is the proper config to allow a single outside addr access to every device to multiple ports on an inside network?

We have a vendor that supports our access points and other wifi related devices at one of our remotes sites.

The only subnet in use at this site is the inside network with subnet 192.168.223.0/24

I am hopping I do not need to create a static entry for every device and every port because there are a lot!

This is what I have in the 5505 ios 8.2 to allow them to access.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.223.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 100.100.100.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 1

route inside 192.168.223.0 255.255.255.0 192.168.223.254 1

             name 99.99.99.99 vendor

access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended deny ip host vendor host 192.168.223.251

access-list outside_access_in_1 extended permit tcp host vendor any object-group xxx
access-list outside_access_in_1 extended permit udp host vendor any object-group xxx

global (outside) 1 100.100.100.3 netmask 255.255.255.0
nat (inside) 1 192.168.223.0 255.255.255.0

access-group outside_access_in_1 in interface outside

None of the inside devices need to initiate access to go outside. All of the traffic these inside devices generate goes to the 192.168.223.251 device which is a server with dual connected NICs.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

NAT question one outside address permited to all inside addresse

Hi,

If the Vendor doesnt not have any existing connection to your network and wants to connect to your internal network devices through the Internet then every device would need a public IP address. But this isnt really an option with so many devices.

I would suggest that you either provide the Vendor access to your network through a VPN Client connection or better yet configure a L2L VPN connection between your site and the Vendor site.

This would enable the Vendor to connect to your devices with their actual IP addresses.

You could control the Vendor access either with VPN Filter ACL specific to their VPN connection or use an interface ACL to control this traffic provided that some other setting were also changed.

But as I said, if the Vendor is attempting to connect through the Internet without any VPN connection then every device would needs its own public IP address OR you would have to have a DMZ server to which the Vendor connects and the Vendor would have limited access through the DMZ Server to the devices required.

Hope this helps

- Jouni

2 REPLIES
Super Bronze

NAT question one outside address permited to all inside addresse

Hi,

If the Vendor doesnt not have any existing connection to your network and wants to connect to your internal network devices through the Internet then every device would need a public IP address. But this isnt really an option with so many devices.

I would suggest that you either provide the Vendor access to your network through a VPN Client connection or better yet configure a L2L VPN connection between your site and the Vendor site.

This would enable the Vendor to connect to your devices with their actual IP addresses.

You could control the Vendor access either with VPN Filter ACL specific to their VPN connection or use an interface ACL to control this traffic provided that some other setting were also changed.

But as I said, if the Vendor is attempting to connect through the Internet without any VPN connection then every device would needs its own public IP address OR you would have to have a DMZ server to which the Vendor connects and the Vendor would have limited access through the DMZ Server to the devices required.

Hope this helps

- Jouni

New Member

NAT question one outside address permited to all inside addresse

Jouni

Thanks for the response.

I think the VPN tunnel is the best idea.

113
Views
0
Helpful
2
Replies