RE: Access List help!! [7:63644]
Jason Steig wrote: so you're saying that my statement ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts from network 192.17.73.0 and 192.81.73.0?? 17 is 00010001 81 is 01010001 You corrected my typo on 81. That's good. :-) so the bit it doesn't match on is the 64 bit. so i just have to switch it around if your saying the ones don't count No, see my second message. You don't have to switch it around. A zero in the access-list mask means a bit in the same position in an address in an incoming (or outgoing) packet must match the bit in the address you specify in the access list. (That's a complicated sentence, but read it again if you don't get it. You must understand it to grapple with Cisco access-list masks that show up everywhere in Cisco IOS.) A one in the access-list mask means that a bit in the same poistion in an address in a packet doesn't need to match the bit in the address you specify in the access list. A bit in the 2^6 position (64 in decimal) could be either one or zero in your example if you want either decimal 17 or 81 to match. So we need to make sure that in the access-list mask we say we don't care which it is, a one or a zero, so we use one in the access-list mask. One means I don't care; it can be either one or zero. But the other bits must match to catch both decimal 17 and 81 and nothing more. So the mask for that part is 0100 or 64 in decimal. so it would be 0.191.251.0 ?? becuase if the zeros must match and ones don't count then that would be it then?? or is is 0.192.252.255 becuase the last octet is 255 so it allows all hosts? Yes if you want all hosts, then you don't care if the bits in that part of the address in a packet are one or zero, so you better use all ones (255 in decimal) in that part of the access-list mask. So, the answer is 0.64.4.255. Absolutely, do NOT use some stupid subnet calculator to do this. :-) You have to work it out in binary and you have to understand access-list masks. By the way, in real networks, we summarize addresses. If you really had to set up an access list that would allow or deny those two disparate networks, you should fire your network designer. In the past we made a big deal out of the need to summarize in order to enhance performance and reduce routing table sizes and update packets. These days, the need to summarize is even more important for security reasons. The last thing you want is to have to spend hours with confused engineers (like me! ;-) trying to figure out access lists. You want the access lists to be simple and easy to get working. If you don't summarize addresses, your access lists can't be simple. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63767t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List help!! [7:63644]
Hello all. I'am stumped on an access-list that i need to create. What i did was i set up two routers using rip and put loopbacks on one of them and advertised them in rip. I then attempted to build an access-list allowing just these networks to pass into the other router. The router with the loopbacks is A the destination is B. so I know this will be a standard access list (direction in) on router B's interface to router A. The requirements are allow any packet originating from 192.17.77.0 /24 allow any packet originating from 192.17.73.0 /24 allow any packet originating from 192.81.77.0 /24 allow any packet originating from 192.81.73.0 /24 allow any packet originating from 176.17.77.0 /24 allow any packet originating from 176.17.73.0 /24 allow any packet originating from 176.81.77.0 /24 allow any packet originating from 176.81.73.0 /24 Hers what i think i can do with the 182 address i can do permit ip 192.17.73.0 0.64.4.0 because the 64 will increase the second octet to 81 then the 4 in the third bit will increase the network to 77. Is this how i would impliment this filtering policy in just two statements? The same way with the 176 networks? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63644t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List help!! [7:63644]
Jason Steig wrote: Hello all. I'am stumped on an access-list that i need to create. What i did was i set up two routers using rip and put loopbacks on one of them and advertised them in rip. I then attempted to build an access-list allowing just these networks to pass into the other router. The router with the loopbacks is A the destination is B. so I know this will be a standard access list (direction in) on router B's interface to router A. The requirements are allow any packet originating from 192.17.77.0 /24 allow any packet originating from 192.17.73.0 /24 allow any packet originating from 192.81.77.0 /24 allow any packet originating from 192.81.73.0 /24 allow any packet originating from 176.17.77.0 /24 allow any packet originating from 176.17.73.0 /24 allow any packet originating from 176.81.77.0 /24 allow any packet originating from 176.81.73.0 /24 Hers what i think i can do with the 182 address i can do permit ip 192.17.73.0 0.64.4.0 17 is 0001 0001 in binary 81 is 0011 0001 in binary The one place they DON'T agree is the bit in the 2^6 place, or 64. So you don't want 64, you want the opposite. Reverse all the bits from the answer you came up with. Remember 0 means must match. 1 means don't care. Then put that result in decimal. It looks like you need to reverse the bits from the answer you got for the next octet too. Priscilla because the 64 will increase the second octet to 81 then the 4 in the third bit will increase the network to 77. Is this how i would impliment this filtering policy in just two statements? The same way with the 176 networks? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63670t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List help!! [7:63644]
Priscilla Oppenheimer wrote: Jason Steig wrote: Hello all. I'am stumped on an access-list that i need to create. What i did was i set up two routers using rip and put loopbacks on one of them and advertised them in rip. I then attempted to build an access-list allowing just these networks to pass into the other router. The router with the loopbacks is A the destination is B. so I know this will be a standard access list (direction in) on router B's interface to router A. The requirements are allow any packet originating from 192.17.77.0 /24 allow any packet originating from 192.17.73.0 /24 allow any packet originating from 192.81.77.0 /24 allow any packet originating from 192.81.73.0 /24 allow any packet originating from 176.17.77.0 /24 allow any packet originating from 176.17.73.0 /24 allow any packet originating from 176.81.77.0 /24 allow any packet originating from 176.81.73.0 /24 Hers what i think i can do with the 182 address i can do permit ip 192.17.73.0 0.64.4.0 17 is 0001 0001 in binary 81 is 0011 0001 in binary The one place they DON'T agree is the bit in the 2^6 place, or 64. So you don't want 64, you want the opposite. Reverse all the bits from the answer you came up with. Remember 0 means must match. 1 means don't care. Then put that result in decimal. Oops. It looks like I didn't take my own advice, that 0 means must match and 1 means don't care. So you do want 64. Sorry. You had it right. Priscilla It looks like you need to reverse the bits from the answer you got for the next octet too. Priscilla because the 64 will increase the second octet to 81 then the 4 in the third bit will increase the network to 77. Is this how i would impliment this filtering policy in just two statements? The same way with the 176 networks? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63671t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List help!! [7:63644]
so your saying that my statement ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts from network 192.17.73.0 and 192.81.73.0?? 17 is 00010001 81 is 01010001 so the bit it doesn't match on is the 64 bit. so i just have to switch it around if your saying the ones don't count so it would be 0.191.251.0 ?? becuase if the zeros must match and ones don't count then that would be it then?? or is is 0.192.252.255 becuase the last octet is 255 so it allows all hosts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63674t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List help!! [7:63644]
it worked!! thanks!Jason Steig wrote: so your saying that my statement ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts from network 192.17.73.0 and 192.81.73.0?? 17 is 00010001 81 is 01010001 so the bit it doesn't match on is the 64 bit. so i just have to switch it around if your saying the ones don't count so it would be 0.191.251.0 ?? becuase if the zeros must match and ones don't count then that would be it then?? or is is 0.192.252.255 becuase the last octet is 255 so it allows all hosts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63676t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List help!! [7:63644]
Jason Steig wrote in message news:[EMAIL PROTECTED] it worked!! thanks!Jason Steig wrote: forgive me for having gotten lost in this thread... so your saying that my statement ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts from network 192.17.73.0 and 192.81.73.0?? 17 is 00010001 81 is 01010001 mask =0100the 1 in the 64 place allows for either 17 or 81 so the proper mask is 0.0.64.255 255 allows for all values in the last octet I hope that's what you are saying, because that is the correct answer. so the bit it doesn't match on is the 64 bit. so i just have to switch it around if your saying the ones don't count so it would be 0.191.251.0 ?? becuase if the zeros must match and ones don't count then that would be it then?? or is is 0.192.252.255 becuase the last octet is 255 so it allows all hosts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63677t=63644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Help [7:53185]
Hi, You need to create an ACL to include the dial pool, then permit it to access the server. Thanks, Msava -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Parameswaran S Sent: Thursday, September 12, 2002 9:03 AM To: [EMAIL PROTECTED] Subject: Access-list Help [7:53185] Hi Group, I have a situation where i need to put some access list for my dial up users logging into my network. I want them give access to only one server in my network.And all other can be blocked. can someone help me to do this? thanks in advance. Paramesh - Do you Yahoo!? Yahoo! News - Today's headlines Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53187t=53185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Help [7:53185]
Hi Param, Create an ACL and apply to the group-async interface configured for dial up users. It should work. regards Silju Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53188t=53185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Help [7:53185]
thanks all for your input..it is working.. paramesh Silju Pillai wrote:Hi Param, Create an ACL and apply to the group-async interface configured for dial up users. It should work. regards Silju Do you Yahoo!? Yahoo! News - Today's headlines Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53191t=53185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list Help [7:53185]
Hi Group, I have a situation where i need to put some access list for my dial up users logging into my network. I want them give access to only one server in my network.And all other can be blocked. can someone help me to do this? thanks in advance. Paramesh - Do you Yahoo!? Yahoo! News - Today's headlines Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53185t=53185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ACL (Access-List) Help [7:1879]
I am new to Cisco routers and would appreciate some help on how to put in an access-list that would only allow clients with IP addresses of IP Range: 10.224.10.1 - 20 and a Subnet mask of : 255.255.252.0 to use our isdn connection from our LAN. Thank you in advance for your help. Norman Lee Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1879t=1879 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Need access list help [7:1274]
Have following internal local networks: Local Networks : 10.42.232.0 through 10.42.239.0 Have a host at 10.42.237.23 that I want to permit local networks to access (TCP port 2200) Want to deny access to host 10.42.237.23 for all others Want to permit all other traffic any any In effect I just need to deny access to one host for stated port for every not on the local network. What should the access-list look like, I'd hate to club my local network. May current plan was to access-list 113 permit tcp 10.42.232.0 0.0.248.255 host 10.42.237.23 access-list 113 deny tcp any host 10.42.237.23 access-list 113 permit tcp any any {implicit deny} config-int vlan 237 ip access-group 113 in But I have have the sinking feeling I am about to club all other protocols. Can someone straighten me out? Thanks in advance. Luke Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1274t=1274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need access list help [7:1274]
Unless they're going through the router to get to the server an access-list won't help you there. That just filters traffic passing through interfaces. If it's on the same network you'll have to permit/deny at the server itself. It's possible with all operating systems. What kind of server is it? - Original Message - From: "Luke" To: Sent: Thursday, April 19, 2001 2:19 PM Subject: Need access list help [7:1274] Have following internal local networks: Local Networks : 10.42.232.0 through 10.42.239.0 Have a host at 10.42.237.23 that I want to permit local networks to access (TCP port 2200) Want to deny access to host 10.42.237.23 for all others Want to permit all other traffic any any In effect I just need to deny access to one host for stated port for every not on the local network. What should the access-list look like, I'd hate to club my local network. May current plan was to access-list 113 permit tcp 10.42.232.0 0.0.248.255 host 10.42.237.23 access-list 113 deny tcp any host 10.42.237.23 access-list 113 permit tcp any any {implicit deny} config-int vlan 237 ip access-group 113 in But I have have the sinking feeling I am about to club all other protocols. Can someone straighten me out? Thanks in advance. Luke FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1279t=1274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need access list help [7:1274]
Assuming that the router is sitting between the host and the service listening to port 2200, your list should look like so: example topology: Host (e0) Router (e1) service listening on port 2200 example access-list: Router(config)#access-list 113 deny tcp host 10.42.237.23 ip eq 2200 Router(config)#access-list 113 permit ip any any Router(config)#int e0 Router(config-if)#ip access-group 113 in This bloacks anything from host 10.42.237.23 on port 2200 going into the router on e0. You may also want to consider using named access lists, if your IOS version supports it: Router(config)#ip access-list extended MyNetworkACL Router(config-std-nacl)#deny tcp host 10.42.237.23 ip eq 2200 Router(config-std-nacl)#int e0 Router(config-if)#ip access-group MyNetworkACL in Named access lists are a bit easier to manage if you have a lot of configurations in there. HTH, johnny p. At 03:44 PM 4/19/2001 -0400, Allen May wrote: Unless they're going through the router to get to the server an access-list won't help you there. That just filters traffic passing through interfaces. If it's on the same network you'll have to permit/deny at the server itself. It's possible with all operating systems. What kind of server is it? - Original Message - From: "Luke" To: Sent: Thursday, April 19, 2001 2:19 PM Subject: Need access list help [7:1274] Have following internal local networks: Local Networks : 10.42.232.0 through 10.42.239.0 Have a host at 10.42.237.23 that I want to permit local networks to access (TCP port 2200) Want to deny access to host 10.42.237.23 for all others Want to permit all other traffic any any In effect I just need to deny access to one host for stated port for every not on the local network. What should the access-list look like, I'd hate to club my local network. May current plan was to access-list 113 permit tcp 10.42.232.0 0.0.248.255 host 10.42.237.23 access-list 113 deny tcp any host 10.42.237.23 access-list 113 permit tcp any any {implicit deny} config-int vlan 237 ip access-group 113 in But I have have the sinking feeling I am about to club all other protocols. Can someone straighten me out? Thanks in advance. Luke FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1287t=1274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need access list help [7:1274]
John, Actually I have multiple local networks 10.42.232.0 mask 255.255.248.0 which allows the use of 10.42.232 thru 10.42.239.255 at my local site. I want to allow any local host to connect to the host 10.42.237.23 and deny all the remote sites from connecting to this system over port 2200 due to the effect it will have on the WAN links. Hopefully this clarifies what I need to accomplish. Thanks for any help in advance. ""John Patton"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Assuming that the router is sitting between the host and the service listening to port 2200, your list should look like so: example topology: Host (e0) Router (e1) service listening on port 2200 example access-list: Router(config)#access-list 113 deny tcp host 10.42.237.23 ip eq 2200 Router(config)#access-list 113 permit ip any any Router(config)#int e0 Router(config-if)#ip access-group 113 in This bloacks anything from host 10.42.237.23 on port 2200 going into the router on e0. You may also want to consider using named access lists, if your IOS version supports it: Router(config)#ip access-list extended MyNetworkACL Router(config-std-nacl)#deny tcp host 10.42.237.23 ip eq 2200 Router(config-std-nacl)#int e0 Router(config-if)#ip access-group MyNetworkACL in Named access lists are a bit easier to manage if you have a lot of configurations in there. HTH, johnny p. At 03:44 PM 4/19/2001 -0400, Allen May wrote: Unless they're going through the router to get to the server an access-list won't help you there. That just filters traffic passing through interfaces. If it's on the same network you'll have to permit/deny at the server itself. It's possible with all operating systems. What kind of server is it? - Original Message - From: "Luke" To: Sent: Thursday, April 19, 2001 2:19 PM Subject: Need access list help [7:1274] Have following internal local networks: Local Networks : 10.42.232.0 through 10.42.239.0 Have a host at 10.42.237.23 that I want to permit local networks to access (TCP port 2200) Want to deny access to host 10.42.237.23 for all others Want to permit all other traffic any any In effect I just need to deny access to one host for stated port for every not on the local network. What should the access-list look like, I'd hate to club my local network. May current plan was to access-list 113 permit tcp 10.42.232.0 0.0.248.255 host 10.42.237.23 access-list 113 deny tcp any host 10.42.237.23 access-list 113 permit tcp any any {implicit deny} config-int vlan 237 ip access-group 113 in But I have have the sinking feeling I am about to club all other protocols. Can someone straighten me out? Thanks in advance. Luke FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1290t=1274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need access list help [7:1274]
Ok, then just change which interface you're denying and deny all traffic from the remote site trying to use port 2200 to connect to your server. example topology: local site (e0) Router (e1) remote site example numbered access-list: Router(config)#access-list 113 deny tcp any host 10.42.237.23 ip eq 2200 Router(config)#access-list 113 permit ip any any Router(config)#int e1 Router(config-if)#ip access-group 113 in example named access-list: Router(config)#ip access-list extended MyNetworkACL Router(config-std-nacl)#deny tcp any host 10.42.237.23 ip eq 2200 Router(config-std-nacl)#permit ip any any Router(config-std-nacl)#int e1 Router(config-if)#ip access-group MyNetworkACL in HTH, johnny p. At 04:52 PM 4/19/2001 -0400, Luke wrote: John, Actually I have multiple local networks 10.42.232.0 mask 255.255.248.0 which allows the use of 10.42.232 thru 10.42.239.255 at my local site. I want to allow any local host to connect to the host 10.42.237.23 and deny all the remote sites from connecting to this system over port 2200 due to the effect it will have on the WAN links. Hopefully this clarifies what I need to accomplish. Thanks for any help in advance. ""John Patton"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Assuming that the router is sitting between the host and the service listening to port 2200, your list should look like so: example topology: Host (e0) Router (e1) service listening on port 2200 example access-list: Router(config)#access-list 113 deny tcp host 10.42.237.23 ip eq 2200 Router(config)#access-list 113 permit ip any any Router(config)#int e0 Router(config-if)#ip access-group 113 in This bloacks anything from host 10.42.237.23 on port 2200 going into the router on e0. You may also want to consider using named access lists, if your IOS version supports it: Router(config)#ip access-list extended MyNetworkACL Router(config-std-nacl)#deny tcp host 10.42.237.23 ip eq 2200 Router(config-std-nacl)#int e0 Router(config-if)#ip access-group MyNetworkACL in Named access lists are a bit easier to manage if you have a lot of configurations in there. HTH, johnny p. At 03:44 PM 4/19/2001 -0400, Allen May wrote: Unless they're going through the router to get to the server an access-list won't help you there. That just filters traffic passing through interfaces. If it's on the same network you'll have to permit/deny at the server itself. It's possible with all operating systems. What kind of server is it? - Original Message - From: "Luke" To: Sent: Thursday, April 19, 2001 2:19 PM Subject: Need access list help [7:1274] Have following internal local networks: Local Networks : 10.42.232.0 through 10.42.239.0 Have a host at 10.42.237.23 that I want to permit local networks to access (TCP port 2200) Want to deny access to host 10.42.237.23 for all others Want to permit all other traffic any any In effect I just need to deny access to one host for stated port for every not on the local network. What should the access-list look like, I'd hate to club my local network. May current plan was to access-list 113 permit tcp 10.42.232.0 0.0.248.255 host 10.42.237.23 access-list 113 deny tcp any host 10.42.237.23 access-list 113 permit tcp any any {implicit deny} config-int vlan 237 ip access-group 113 in But I have have the sinking feeling I am about to club all other protocols. Can someone straighten me out? Thanks in advance. Luke FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=1300t=1274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list help
yes, I see that my wildcard mask is all screwed up, I'm sending this from home and now I'm not sure if it's just a typo on my part or I actually typed it in like that on the router ;-( Tim "Timothy Metz" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list help
All, For some reason I am having problems with a seemingly simple access-list and any help is extremely appreciated. When I applied the list, It blocked www access (intranet www worked fine) to all except the BDC and the Exchange server. I assume I made a mistake with the wildcard mask. My stub of the intranet is 10.105.190.0 BDC is 10.105.190.10 Exchange server is 10.105.190.246 IP's authorized unrestricted access 10.105.190.8 thru 10.105.190.24 LAN is on e0, WAN on s0 Here are my guidelines in plain English permit all to local intranet permit our BDC to all permit Exchange server to all permit specific block of ip's to all (10.105.190.8 thru 10.105.190.24) deny all others to www permit ip all (for proprietary stuff some of our offices use and I don't currently have the time to see what ports they need) Here is the list I came up with: access-list 101 permit tcp any 10.0.0.0 0.255.255.255 eq www access-list 101 permit ip host 10.105.190.10 any access-list 101 permit ip host 10.105.190.246 any access-list 101 permit ip 10.105.190.8 0.0.0.16 any access-list 101 deny tcp 10.105.190.0 0.0.0.255 any eq www access-list 101 permit ip any any apply to interface e0: en, config t, int e0 ip access-group 101 out ctrl-z Thanks again, Tim _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]