Re: access lists [7:13928]

Chuck Larrieu Fri, 27 Jul 2001 23:25:36 -0700
might that second line more properly be:

 access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log  ????

from the context, it would appear you want to deny inbound from the private
IP space 172.16.0.0 through 172.31.255.255

0001 0000 thru
0001 1111

the match is 0000 1111 ?

otherwise I read it as denying anything from 172.0.0.0 through
172.127.255.255, which includes a lot of public space ( although my q&d
searches of ARIN, RIPE, and APNIC do not find any registrations in the
entire 172 range )

Chuck


"Marc Russell"  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I would use something like the access-list below and apply it inbound to
> your serial interface. Replace the 210.145.3.128 0.0.0.63 with your
subnet.
> It might be a good idea to log the deny packets to a syslog server.
>
> access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
> access-list 101 deny   ip 172.0.0.0 0.127.255.255 any log
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
> access-list 101 permit tcp any 210.145.3.128 0.0.0.63 established
> access-list 101 permit udp any 210.145.3.128 0.0.0.63 gt 1023
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63 host-unreachable
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63 port-unreachable
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63 packet-too-big
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63
> administratively-prohibited
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63 source-quench
> access-list 101 permit icmp any 210.145.3.128 0.0.0.63 ttl-exceeded
> access-list 101 deny ip any any log
>
>
> Marc Russell
> Network Learning, Inc.
> 1677 W. Hamlin
> Rochester Hills, MI 48309
> Work PH# 248-299-8114
> Fax# 248-299-7975
> Pager# 810-681-0382
> Alpha Page (don't put text in the subject area)
> [EMAIL PROTECTED]
> E-Mail CCIE Boot Camp [EMAIL PROTECTED]
> WEB CCIE Boot  Camp www.ccbootcamp.com  (Check us out for CCIE lab exam
> preparation)
>
>
>
>
>
> ""Joe Morabito""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > How can you apply an access list to a serial interface to block all
> internet
> > traffic without disabling the inside people from getting out?
> >
> > I have a 1720 with the serial deny ip any any  and the ethernet uses an
> > inside
> > addressing scheme with nat to get to the outside.
> >
> > But when I apply the deny ip any any and access-group xxx in to the
serial
> > interface, people can no longer get outside.  Any ideas?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14041&t=13928
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access lists [7:13928]

Reply via email to
