Re: Access List problem. [7:12525]
Line 6 should be there. Line 5 define subset of line 6 with type of deny and is widest range in prior lines. should stay. Line 4 source address is in range of 5 with type of permit. destination address out of range of 5, so, it equivalence to: permit x.x.x.x 0.0.31.255 y.y.y.y 0.0.0.63. This line should stay. Line 3's destination address out of range 4, 5. and fall into 6 with deny. so, it should stay. Line 1, 2 are all in range 6 with permit, is overlapped. Then, the access-list become: 1.access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 2.access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.64 0.0.0.63 3.access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 4.access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 If it is not wrong with my derive above and original access is equivalent to access list above, it is ealy to prove that none of those lines can be removed any more. So, I think 4 lines access list required. Robert Fowler wrote: Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler [GroupStudy.com removed an attachment of type text/x-vcard which had a name of jeffrey.wang.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12635t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List problem. [7:12525]
Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12525t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List problem. [7:12525]
i it working or not what u want to allow disallow forget this1 -Original Message- From: Robert Fowler [mailto:[EMAIL PROTECTED]] Sent: Monday, July 16, 2001 11:05 PM To: [EMAIL PROTECTED] Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12530t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
I'll try ;) Let's see: 172.anything from 10.anything 172.22.30.95 from 10.11.12.anything (redundant from above line) 172.22.30.anything denied from 192.168.18.27 172.22.0.0 0.0.31.255 from 192.168.18.anything (denied 1 line above) 172.22.anything deny 192.168.18.64 0.0.0.63 (taken care of 2 lines above) permit all So yeah...line 1, 3, and final permit all looks like it to me... Allen - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12532t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
I have a familiar feeling that I'm going to be completely off on this one, but hopefully the correct answer will be posted so I can figure out why. As long as the correct deny statements are there, it seems to me that the other permit statements would be redundant when used with the permit all statement at the end. access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Looking forward to the answer, - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12535t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
I like Jeremy's answer. It seems like the permit all at the end makes everything else except the denies redundant. Jeremy Felt wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a familiar feeling that I'm going to be completely off on this one, but hopefully the correct answer will be posted so I can figure out why. As long as the correct deny statements are there, it seems to me that the other permit statements would be redundant when used with the permit all statement at the end. access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Looking forward to the answer, - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12544t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
Oh wait...4th line down is a permit so line 3 stays. I see it in 4 lines. Anybody else see it differently? - Original Message - From: Allen May To: Sent: Monday, July 16, 2001 2:44 PM Subject: Re: Access List problem. [7:12525] I'll try ;) Let's see: 172.anything from 10.anything 172.22.30.95 from 10.11.12.anything (redundant from above line) 172.22.30.anything denied from 192.168.18.27 172.22.0.0 0.0.31.255 from 192.168.18.anything (denied 1 line above) 172.22.anything deny 192.168.18.64 0.0.0.63 (taken care of 2 lines above) permit all So yeah...line 1, 3, and final permit all looks like it to me... Allen - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12545t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
True, but it won't block the specific addresses inside the subnets he allowed all from above the deny all. - Original Message - From: no mail To: Sent: Monday, July 16, 2001 3:41 PM Subject: Re: Access List problem. [7:12525] I like Jeremy's answer. It seems like the permit all at the end makes everything else except the denies redundant. Jeremy Felt wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a familiar feeling that I'm going to be completely off on this one, but hopefully the correct answer will be posted so I can figure out why. As long as the correct deny statements are there, it seems to me that the other permit statements would be redundant when used with the permit all statement at the end. access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Looking forward to the answer, - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12546t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List problem. [7:12525]
The first 3 conditions definitely don't overlap, so the deny is all you need, but the next 2 lines kind of overlap, and using only the deny statement (line 5) would block traffic that the prior permit statement (line 4) would have allowed. The only way to get rid of one of the lines is to see if there is a real weird wildcard mask that could do a deny that looks like the permit and deny together, but I can't see it right off. DON'T DELETE LINE 4! The remaining deny statement would deny all traffic from 172.22.x.y to hosts 64-128 on the 192.168.18 network. Line 4 would have allowed the hosts from 172.22.0-31.x to all of the 192.168.18.x network. These conditions overlap and need to be there separately. access-list 101 permit ip host 172.22.30.6 10.0.0.0 0.255.255.255 Someone sent me this and I just can't figure it out. I've been staring at it and trying things since last week. Any ideas? Jeff Doyle says this access-list can be rewritten with 3 lines and still provide the same functionality. Let me know if you guys figure out: access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12550t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
Thanks for the vote of support. I'm still very new at this. However, I have this habit of second guessing myself all the time, and I'm pretty sure my response was incorrect. The first two permit statements can be considered redundant because there are no deny statements leading to the 10.0.0.0 network. So that means the 3 statements relating to network 192.168.18.0 need to be reworked into 2. The first statement denies ip traffic from 172.22.30.0-172.22.30.255 access to the node 192.168.18.27. The second statement permits ip traffic from 172.22.0.0-172.22.31.255 to access any nodes from 192.168.18.0-192.168.18.255, this exludes the traffic denied already above. The third statement denies ip traffic from 172.22.0.0-172.22.255.255 access to any nodes from 192.168.18.64-192.168.18.127. If the second statement is taken out, then the third statement denies it before it is able to get to the permit all statement. In order for the second statement to be taken out, the third statement needs to be modified so that traffic from 172.22.32.0-172.22.255.255 is denied access to any nodes from 192.168.18.64-192.168.18.127. I don't know if this can be done by using a wildcard mask though, and I'm not able to figure it out. Sorry about the length, hopefully somebody can post the correct answer this time. :-p - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: no mail To: Sent: Monday, July 16, 2001 3:41 PM Subject: Re: Access List problem. [7:12525] I like Jeremy's answer. It seems like the permit all at the end makes everything else except the denies redundant. Jeremy Felt wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a familiar feeling that I'm going to be completely off on this one, but hopefully the correct answer will be posted so I can figure out why. As long as the correct deny statements are there, it seems to me that the other permit statements would be redundant when used with the permit all statement at the end. access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Looking forward to the answer, - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] ...[snipped message]... access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12549t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List problem. [7:12525]
After thinking on it a bit more, the wildcard mask I would use if it were legal would be 0.0.223.255 This seems to accomplish the task, though according to my knowledge, it's not useable. So now I'm with Allen in 4 lines, not 3. - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Jeremy Felt To: Sent: Monday, July 16, 2001 4:22 PM Subject: Re: Access List problem. [7:12525] ...[snip message]. In order for the second statement to be taken out, the third statement needs to be modified so that traffic from 172.22.32.0-172.22.255.255 is denied access to any nodes from 192.168.18.64-192.168.18.127. I don't know if this can be done by using a wildcard mask though, and I'm not able to figure it out. Sorry about the length, hopefully somebody can post the correct answer this time. :-p - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: no mail To: Sent: Monday, July 16, 2001 3:41 PM Subject: Re: Access List problem. [7:12525] I like Jeremy's answer. It seems like the permit all at the end makes everything else except the denies redundant. Jeremy Felt wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a familiar feeling that I'm going to be completely off on this one, but hopefully the correct answer will be posted so I can figure out why. As long as the correct deny statements are there, it seems to me that the other permit statements would be redundant when used with the permit all statement at the end. access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Looking forward to the answer, - Jeremy Felt [EMAIL PROTECTED] - Original Message - From: Robert Fowler To: Sent: Monday, July 16, 2001 2:05 PM Subject: Access List problem. [7:12525] ...[snipped message]... access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255 access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255 access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0 access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255 access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Have fun... Thank You, Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12552t=12525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]