Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to setup NAT with ACl's/restricted access.

Old Setup: our existing setup is a 5510 with remote access vpn through a dsl link. this was done because we did not have the facility hooked into our LAN campus. now, we have the fiber in and the facility is setup on the local LAN. we want to decommission the vpn setup.

well and good.

New setup: will be about 10 internal devices (172.x.x.x) with 10 individual static NAT addresses configured on the 5510.

this way, all users on our local LAN can get to the 10 devices.

BUT, we only want certain LAN users to get to those devices. those users will have various IP addresses because their desktops are set for DHCP. so how do I control access through the 5510?

The users would not mind if an extra username/passwd box popped up whenever they tried to access the internal 10 devices.is there a way to do this?

any help would be greatly appreciated.

we're running 7.2/5.2 as our software

6 REPLIES
Hall of Fame Super Blue

Re: how to setup NAT with ACl's/restricted access.

Hi

Do you have a radius/tacacs server in your infrastructure. What you want is to authenticate the user on the ASA before they get access to the devices.

Attached is a link to authenticating network access with the ASA

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043431

HTH

Jon

New Member

Re: how to setup NAT with ACl's/restricted access.

Thanks jon,

no, we do not have a radius/tacacs server on our network.

is there another way to do this?

Also, what would be easier to setup...radius or tacacs?

we do have some spare desktops with xp or ubuntu...so would it be possible to setup radius/tacacs fairly easily? or do I need to buy licenses?

Gold

Re: how to setup NAT with ACl's/restricted access.

If you have a win2k or 2k3 server you can install Internet Authentication Server (IAS), it's MS'es free Radius implementation. I've set it up for both administrative access and remote vpn access. And this way, you can use active directory accounts with it as well.

New Member

Re: how to setup NAT with ACl's/restricted access.

Thanks srue.

one question. if I were to use a win2k server, does it have to be on the same subnet as the cisco 5510?

or can they be on different subnets.

for example, the win2k server would be in my office while the 5510 is in a different bldg on the campus (of course, there is a logical network path between my bldg and the other bldg)

Hall of Fame Super Blue

Re: how to setup NAT with ACl's/restricted access.

Hi

No it doesn't have to be on the same subnet. As long as the ASA can route to the W2K server you should be fine.

Jon

New Member

Re: how to setup NAT with ACl's/restricted access.

can someone who has setup static NAT's through a 5500 series ASA with a windows 2k server based radius server please post the key commands.

this would tremendously help us in our configuration!

137
Views
9
Helpful
6
Replies