Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access-list

I have a situation where an external company wants to NAT 6 of our addresses on their network for access to a server.

We do not want them to have access to anything else.

Is it possible to do this with an access list?

Fo example, if they wanted the addresses:

10.10.57.120 - 125 on this subnet

and everyone else is on the same subnet.

This company will need access to a server on the same subnet and a printer.

We do not want them to get to anything else.

What would be the best way to do this?

9 REPLIES
New Member

Re: Access-list

How is this company connecting to your network? I think this would help in determining where you would have to place the access list. Could you provide a diagram or an explanation of the connectivity?

Could you connect them via a DMZ interface and limit access using a Firewall?

New Member

Re: Access-list

They are actually at a remote site (which is part of our company, the remote site also has our users) and have their own connection into the building (not sure how).

The remote site is connecting to the main site via MPLS.

They will also need to access a server at the main site, (in addition to a server and printer at remote site)so they will be just like normal users as far as routing goes.

They are going to do the NATing on their router.

As far as what I have to do is just isolate those 6 addresses from everything other than what they need to get to.

I have extra ethernet ports if needed, but not sure how I could use if on the same subnet.

Re: Access-list

Write an ACL similar to the one noted below and apply it outbound on the interface connecting to the MPLS network at the remote site. Alternatively, you could apply the ACL in the inward direction on the router at the main site.

access-list 100 permit tcp 10.10.57.120 0.0.0.3 host (server_ip) eq (port_#)

access-list 100 permit tcp 10.10.57.124 0.0.0.1 host (server_ip) eq (port_#)

access-list 100 deny ip 10.10.57.120 0.0.0.3 any

access-list 100 deny ip 10.10.57.124 0.0.0.1 any

access-list 100 permit ip any any

HTH,

Sundar

New Member

Re: Access-list

Thanks,

Why didn't I think of that?

New Member

Re: Access-list

Will this access-list still allow everyone else in the same subnet access everything per normal?

New Member

Re: Access-list

If it's only six addresses wouldn't it be easier just to use host specific entries

permit ip host 10.10.57.20 eq

deny ip host 10.10.57.20 any

create these entries for each nat address then at the end

permit ip any any

This will restrict the natted addresses but will allow th rest of the subnet unrestricted access.

HTH

N

Re: Access-list

Yes, it will. What this ACL will do is allow the 6 hosts to access the server and deny these hosts access to everything else on your network + allow all other hosts access to everything on your network. Someone mentioned creating 6 host entries which isn't needed as this ACL achieves the task in fewer entries and is the optimal configuration.

Let us know if you have any other concerns.

-Sundar

New Member

Re: Access-list

The other client wants to connect his router to either my router or switch.

Would it be best to create a 30 bit network and connect him that way?

Is there any way to configure a ethernet port on my router in the same subnet as one already configured on that router?

Re: Access-list

If there's one PC that wants to connect to your network then you can configure the interface with a 30-bit mask and enable network access. Make sure that subnet gets advertised to other routers in your domain either via a routing protocol or static route. As far as your second question is concerned, you cannot assign a overlapping address to another interface on the same router.

HTH,

Sundar

107
Views
15
Helpful
9
Replies
CreatePlease to create content