Paul, You need to understand the wildcard format for access-lists. The best way to do this is to convert your ip addresses to binary.
The beginning range address is 192.168.1.10 The ending range address is 192.168.1.15 We can quickly see that the first three octets are the same, so lets concentrate on the fourth. Range is: 10 : 0000 1010 11 : 0000 1011 12 : 0000 1100 13 : 0000 1101 14 : 0000 1110 15 : 0000 1111 As you can see, the left five bits stays the same, so you have to tell the access-list not to care about the right three bits. In a wildcard mask, the 0's represent that the bit value MUST be as specified, and the 1's represent that is doesn't care about the bit value. So we must create a wildcard for the fourth octet that looks like this: 0000 0111 = 7 As for the first three octets, they must all match, so that's easy: 0.0.0 Now you have a wildcard mask that looks like this: 0.0.0.7 Since the left five bits were the same for range 10-15, lets take those five bits 00001 and fill zero's to the right 000 = 0000 1000 or 8. That's the value we want to use for the fourth octet in the ip address. And the access-list would look like this: access-list 110 permit tcp 192.168.1.8 0.0.0.7 .... The only problem with this, is that this will also allow .8 and .9, so if you wish to deny those two addresses, you must do some more match: .8 = 0000 1000 .9 = 0000 1001 As you can see, the only bit that changes is the right one, so if you do a wildcard octet of: 0000 0001 You can test for that. Let's correct our access-list statements: access-list 110 deny tcp 192.168.1.8 0.0.0.1 ...... access-list 110 permit tcp 192.168.1.8 0.0.0.7 ...... As you can see, it's a little tricky to calculate, but once you have it down, it can be almost a fun little task to do. The best thing to do in the beginning, is to write the whole address range down in binary and look at the bits. That way you can see which ones change, and which ones stays the same. Sometimes you can cut a lot of statements down by looking at the pattern and creating some good wildcard masks, but that is both good and bad. It is good because it makes the acecss-list filter faster, but it's bad because it can be hard to read the next time you need to reconfigure something. Hth, Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Need a Job? http://www.OleDrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: r Paul [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 3:12 AM To: [EMAIL PROTECTED] Subject: Help with extended access lists [7:40904] Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40913&t=40904 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]