Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL issue - NAT?

Hello

I am trying to setup an access list that blocks Sales from accessing the Accounting server but still allows Accounting to access it.

I have NAT overload running to spicen things up a bit.

First I set up the ACL and applied it to the outgoing interface to Accounting server but that blocked both Sales and Accounting. I suspect it's a NAT issue.

So then I applied the ACL to the inbound interface on the Sales subnet.

Accounting can access the Accounting server now but Sales can't access anything and nothing can access Sales.

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL issue - NAT?

Okay, still not 100% clear but it looks like -

sales is on the fa0/1 interface

accounting server is on the fa0/0 interface

so lets say sales subnet = 192.168.5.0/24

accounting server - 192.168.10.2

access-list 101 deny ip 192.168.5.0 0.0.0.255 host 192.168.10.2

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int fa0/1

access-group 101 in

Jon

5 REPLIES
Hall of Fame Super Blue

Re: ACL issue - NAT?

kbullard00 wrote:

Hello

I am trying to setup an access list that blocks Sales from accessing the Accounting server but still allows Accounting to access it.

I have NAT overload running to spicen things up a bit.

First I set up the ACL and applied it to the outgoing interface to Accounting server but that blocked both Sales and Accounting. I suspect it's a NAT issue.

So then I applied the ACL to the inbound interface on the Sales subnet.

Accounting can access the Accounting server now but Sales can't access anything and nothing can access Sales.

Any help would be appreciated.

Your diagram is not showing fully and its not clear from your config which is accounting, which is sales etc. so it's a bit hard to help.

Which subnet is sales.

Which subnet is the accounting server in.

Which subnet are the accounting users in.

Are all these subnets connected to the same router ?

Jon

New Member

Re: ACL issue - NAT?

ooops sorry about that. I added interface IDs.

New Member

Re: ACL issue - NAT?

For efficiency you want to block access/traffic closest to the source.

Hall of Fame Super Blue

Re: ACL issue - NAT?

Okay, still not 100% clear but it looks like -

sales is on the fa0/1 interface

accounting server is on the fa0/0 interface

so lets say sales subnet = 192.168.5.0/24

accounting server - 192.168.10.2

access-list 101 deny ip 192.168.5.0 0.0.0.255 host 192.168.10.2

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int fa0/1

access-group 101 in

Jon

New Member

Re: ACL issue - NAT?

That works thanks a bunch

259
Views
0
Helpful
5
Replies
CreatePlease to create content