Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL to permit dynamic range of source addresses

I have a DMZ that has DHCP configured with a range of 25 addresses. There are laptops that connect to wireless in the DMZ which have Integrity Agent installed on them, and are trying to contact an Integrity server located on the inside using port 5054. My problem is how do I account for these laptop users NAT translation so they can access the inside Integrity server without keying in 25 separate static (inside,DMZ) statements? Does some alternative solution exist?

Thank you,

Bill

11 REPLIES
New Member

Re: ACL to permit dynamic range of source addresses

I would try using policy PAT. Specify the 25 addresses in the policy access-list and translate them to a single address or interface address.

New Member

Re: ACL to permit dynamic range of source addresses

here is an example that might help:

access-list nat_DMZ_pool1_in_0 permit tcp 192.168.10.96 255.255.255.224 host 10.1.1.3 eq 5054

nat (DMZ) 1 access-list nat_DMZ_pool1_in_0 DMZ

The PAT pool (1) I used was 10.1.1.2

I used 192.168.10.1 as the DMZ address and 10.1.1.1 as the inside address for interfaces.

10.1.1.3 is the address of the inside server

New Member

Re: ACL to permit dynamic range of source addresses

I think I understand the concept, use and access list to select traffic to apply a nat pool to, but am having difficulty with the config.

i've created the access list to capture the hosts in the DHCP pool

access-list nat_DMZ_pool2_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054

then i configured nat

nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0

and the pool 2

global (DMZ) 2 192.168.32.5

my DMZ int add is 192.168.32.1

my inside host is 10.6.6.15 port 5054

Finally, I added a line to the access-list currently applied to my DMZ interface

access-list dmz_access_in permit tcp host 192.168.32.5 host 10.6.6.15 eq 5054

But I'm missing something cause it's not working yet.

New Member

Re: ACL to permit dynamic range of source addresses

change your access list applied to the DMZ interface to allow any source to the destination and see what happens. I am currently testing this on a PIX in my lab. I may have the policy PAT a bit off. When I am finished, I will post any changes I see that may be needed.

New Member

Re: ACL to permit dynamic range of source addresses

Changed the access-list, but still having trouble. I've attached an error the PDM produces about not supporting the policy nat commands in my config. Also, here is part of my config.

access-list dmz_access_in remark Access to Integrity

access-list dmz_access_in permit tcp any host 10.6.6.15 eq 5054

access-list nat_DMZ_pool2_in permit tcp 192.168.10.96 255.255.255.224 host 192.168.32.99 eq 5054 (also trid using access-list nat_DMZ_pool2_in permit tcp any host 192.168.32.99 eq 5054)

global (outside) 1 interface

global (DMZ) 1 interface

global (DMZ) 2 192.168.32.5

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

access-group dmz_access_in in interface DMZ

thank you

New Member

Re: ACL to permit dynamic range of source addresses

I've found part of it. Found a sample config in my CCSP book.

nat (DMZ) 1 192.168.32.96 255.255.255.224 outside

global (inside) 1 10.4.0.50

The outside keyword in the nat statement is what did the trick. This statement allows my Integrity clients access to the integrity server, along with the access list. However, as soon as I apply that statement, my ability to reach the DMZ from the inside is lost.

New Member

Re: ACL to permit dynamic range of source addresses

How is your NAT to the DMZ handled? if it is a pool, then this is understandable. If it is, try changing your access from inside to DMZ to an Interface PAT.

New Member

Re: ACL to permit dynamic range of source addresses

No, I was using interface PAT. It's strange, I haven't been able to figure it out yet, but now it is working without translation...I setup the ACL on the DMZ to allow traffic from that subset of hosts, 192.168.32.96/28, and communication now occurs between dmz hosts and the integrity server.

access-list dmz_access_in remark Access to Integrity

access-list dmz_access_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054

HummPIX-515# sh global

global (outside) 1 interface

global (inside) 1 interface

global (DMZ) 1 interface

HummPIX-515# sh run | include nat

access-list inside_outbound_nat0_acl permit ip any 10.1.100.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

New Member

Re: ACL to permit dynamic range of source addresses

Does the Server do a push to the clients, or do the clients contact the server for updates?

Do you have "nat control" turned off?

New Member

Re: ACL to permit dynamic range of source addresses

The clients check in with the server, initially when they connect to the network, and then periodically while connected. I'm not sure what "nat control" is?

New Member

Re: ACL to permit dynamic range of source addresses

Nat control allows or denies traffic through your firewall with or without natting.

264
Views
2
Helpful
11
Replies
CreatePlease to create content