Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Need help for access list problem

Cisco 2901 ISR

I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet

I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.

Anybody can help?

         DENY       10.25.0.1 – 10.25.0.255

                          10.25.1.1 – 10.25.1.255

Permit only 1 host for Internet

                10.25.7.136  255.255.255.192 ------ TMG Server

Using access-list.

( Current configuration  )

object-group network IP

description Block_IP

range 10.25.0.2 10.25.0.255

range 10.25.1.2 10.25.1.255

interface GigabitEthernet0/0

ip address 192.168.2.3 255.255.255.0

ip nat inside

ip virtual-reassembly in max-fragments 64 max-reassemblies 256

duplex auto

speed auto

interface GigabitEthernet0/1

description ### ADSL WAN Interface ###

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

interface Dialer1

description ### ADSL WAN Dialer ###

ip address negotiated

ip mtu 1492

ip nat outside

no ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxxx password 7 xxxxxxxxx

ip nat inside source list 101 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.25.0.0 255.255.0.0 192.168.2.1

access-list 101 permit ip 10.25.0.0 0.0.255.255 any

access-list 105 deny   ip object-group IP any

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

6 REPLIES
Purple

Need help for access list problem

Hi,

ip access-list extended 101

5 permit ip host 10.25.7.136 any

no 10

This way you'll only NAT this host an not the others so they won't be able to get to the Internet.

Regards

Alain

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Need help for access list problem

I already use this command before, but it didn't work. The internet is disconnected.

Purple

Need help for access list problem

Hi,

you mean other hosts can't get to Internet or this host can't ping 8.8.8.8 ?

Just make sure your clients are configured to use the proxy to get to internet and try to ping 8.8.8.8 from one of these clients and look  at the NAT table with sh ip nat translation on the router.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Need help for access list problem

Hello,

Host will can't get internet connection

I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any

and change the configuration ....      ip access-list extended 101

                                                            5 permit ip host 10.25.7.136 any

In this case I will allow only host 10.25.7.136 but it isn't work.

No internet connection from the TMG Server.

Purple

Need help for access list problem

Hi,

Does the TMG server know how to get to the internet? Has it got a default route pointing towards the router ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Need help for access list problem

From the 4500 Catalyst switch

( Current Configuration )

interface GigabitEthernet0/48

no switchport

ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42

ip route 0.0.0.0 0.0.0.0 192.168.2.3

TMG server

external lan 10.25.7.136 255.255.255.192

internal lan 10.25.51.10 255.255.255.0

161
Views
0
Helpful
6
Replies
CreatePlease to create content