RE: Access Lists [7:28927]
Are your people dialing in having to go through your company proxy server to get to the internet? If so, they're probably talking with the proxy server, which no doubt would have an internal address and be let through by that access list. Which interface are you applying this access-list? In which direction (in/out)? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28961t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28927t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
Is 165.5.x.x the range of your internal network or the range of addresses that your dial in users are assigned to? This list says that any packet whose source address is 165.5.x.x can be destined for anywhere. If you want to restrict which subnets they can get to make some more lines specifying your internal subnets. Not to insult, but dont' forget to apply it to an interface. From: J. Johnson Reply-To: J. Johnson To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] Date: Wed, 12 Dec 2001 14:24:16 -0500 We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28940t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Jill, How did you apply the list? To what interface? In which direction? Timothy Estes NA,DA -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28972t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
On what interface(s) is that ACL applied? The way you've written it, the ACL permits IP traffic with a source address of 165.5.x.x, and the second (unnecessary) line denies all other traffic. If that ACL is applied on the interfaces that your users dial into, then it won't accomplish much. If you're trying to filter based on destination IP address, then the first line should be written access-list 110 permit ip any 165.5.0.0 0.0.0.255 hth, Hal -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28949t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
You Probably have to provide more information. 1. Are your users dialing into a router(Access server) or through a RAS card on a computer system? 2. The answer to ques1 is through a router, then is the router also the router that connect to the internet or you have another gateway router? 3. Then the interfaces to which you apply the the access-list also counts, so say more on the interfaces you have on your router and the ones you applied the access-list on and again in which direction (in or out)? Regards - Original Message - From: J. Johnson To: Sent: Wednesday, December 12, 2001 11:24 AM Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28967t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
You don't give much info. What addresses are you handing out via your pool? Where are you applying the acess-list? When I had done something similiar long time ago, employees and faculty total access, customers limited. Set up two access-lists and access lists were applied to user via authentication on TACACs server. I think this is what you want to do. You can also use Radius, TACACs is free, only need a UNIX hac. Dave J. Johnson wrote: We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28947t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
On what interface(s) is that ACL applied? The way you've written it, the ACL permits IP traffic with a source address of 165.5.x.x, and the second (unnecessary) line denies all other traffic. If that ACL is applied on the interfaces that your users dial into, then it won't accomplish much. If you're trying to filter based on destination IP address, then the first line should be written access-list 110 permit ip any 165.5.0.0 0.0.0.255 hth, Hal -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28949t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Yes. You are allowing anyone coming from 165.5.0.0 to go anywhere and denying from anywhere to anywhere. Not knowing you IP structure I would say. access-list 110 permit ip x.x.x.0 0.0.0.255 (IP range assigned to dial-in) 165.5.0.0 0.0.255.255 (IP range of your internal network) access-list 110 deny ip any any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Johnson Sent: Wednesday, December 12, 2001 1:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28987t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Jill, Your acl says allow any source ip from 165.5.0.0 to access any destination IP address. This is probably not what you want. You probably want to allow any IP address to access anything in the 165.5.0.0 address range. (assuming that 165.5.0.0 is your internal network.) Your acl should be: access-list 110 permit ip any 165.50.0 0.0.255.255 You don't need the deny ip any any at the end, it is implied. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Johnson Sent: Wednesday, December 12, 2001 11:24 AM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28996t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]