cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
5
Replies

ACL issue - NAT?

kbullard00
Level 1
Level 1

Hello

I am trying to setup an access list that blocks Sales from accessing the Accounting server but still allows Accounting to access it.

I have NAT overload running to spicen things up a bit.

First I set up the ACL and applied it to the outgoing interface to Accounting server but that blocked both Sales and Accounting. I suspect it's a NAT issue.

So then I applied the ACL to the inbound interface on the Sales subnet.

Accounting can access the Accounting server now but Sales can't access anything and nothing can access Sales.

Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Okay, still not 100% clear but it looks like -

sales is on the fa0/1 interface

accounting server is on the fa0/0 interface

so lets say sales subnet = 192.168.5.0/24

accounting server - 192.168.10.2

access-list 101 deny ip 192.168.5.0 0.0.0.255 host 192.168.10.2

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int fa0/1

access-group 101 in

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

kbullard00 wrote:

Hello

I am trying to setup an access list that blocks Sales from accessing the Accounting server but still allows Accounting to access it.

I have NAT overload running to spicen things up a bit.

First I set up the ACL and applied it to the outgoing interface to Accounting server but that blocked both Sales and Accounting. I suspect it's a NAT issue.

So then I applied the ACL to the inbound interface on the Sales subnet.

Accounting can access the Accounting server now but Sales can't access anything and nothing can access Sales.

Any help would be appreciated.

Your diagram is not showing fully and its not clear from your config which is accounting, which is sales etc. so it's a bit hard to help.

Which subnet is sales.

Which subnet is the accounting server in.

Which subnet are the accounting users in.

Are all these subnets connected to the same router ?

Jon

ooops sorry about that. I added interface IDs.

For efficiency you want to block access/traffic closest to the source.

Jon Marshall
Hall of Fame
Hall of Fame

Okay, still not 100% clear but it looks like -

sales is on the fa0/1 interface

accounting server is on the fa0/0 interface

so lets say sales subnet = 192.168.5.0/24

accounting server - 192.168.10.2

access-list 101 deny ip 192.168.5.0 0.0.0.255 host 192.168.10.2

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int fa0/1

access-group 101 in

Jon

That works thanks a bunch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco