I can't write ACLs
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||
|
Posted by PL on June 26, 2008, 7:12 pm
Please log in for more thread options interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 nameif dmz1 security-level 2 ip address 192.168.2.1 255.255.255.0 ! access-list acl_outgoing extended deny ip any 192.168.2.0 255.255.255.0 access-list acl_outgoing extended permit ip any any ! access-group acl_outgoing in interface inside Why am I still able to access host 192.168.2.2 from 192.168.1.7 ?? | ||||||||||||||||||||||||||||
|
Posted by Barry Margolin on June 26, 2008, 10:07 pm
Please log in for more thread options That should be 0.0.0.255. > access-list acl_outgoing extended permit ip any any
> ! > access-group acl_outgoing in interface inside > > Why am I still able to access host 192.168.2.2 from 192.168.1.7 ?? Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a netmask instead of a wildcard mask. -- Barry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group *** | ||||||||||||||||||||||||||||
|
Posted by Andrew Lutov on June 26, 2008, 10:21 pm
Please log in for more thread options Hello, Barry!
??>> Trying to block access from "inside" to "dmz1"...
??>> ??>> interface Ethernet0/1 ??>> nameif inside ??>> security-level 100 ??>> ip address 192.168.1.1 255.255.255.0 ??>> ! ??>> interface Ethernet0/2 ??>> nameif dmz1 ??>> security-level 2 ??>> ip address 192.168.2.1 255.255.255.0 ??>> ! ??>> access-list acl_outgoing extended deny ip any 192.168.2.0 ??>> 255.255.255.0 BM> That should be 0.0.0.255.
??>> access-list acl_outgoing extended permit ip any any
??>> ! ??>> access-group acl_outgoing in interface inside ??>> ??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ?? BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
BM> netmask instead of a wildcard mask. asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ? configure mode commands/options: A.B.C.D Netmask for source IP address asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 -- | ||||||||||||||||||||||||||||
|
Posted by Barry Margolin on June 26, 2008, 10:30 pm
Please log in for more thread options
> Hello, Barry!
> > ??>> Trying to block access from "inside" to "dmz1"...
> ??>> > ??>> interface Ethernet0/1 > ??>> nameif inside > ??>> security-level 100 > ??>> ip address 192.168.1.1 255.255.255.0 > ??>> ! > ??>> interface Ethernet0/2 > ??>> nameif dmz1 > ??>> security-level 2 > ??>> ip address 192.168.2.1 255.255.255.0 > ??>> ! > ??>> access-list acl_outgoing extended deny ip any 192.168.2.0 > ??>> 255.255.255.0 >
> BM> That should be 0.0.0.255. > > ??>> access-list acl_outgoing extended permit ip any any
> ??>> ! > ??>> access-group acl_outgoing in interface inside > ??>> > ??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ?? >
> BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a > BM> netmask instead of a wildcard mask. > > > asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ? > > configure mode commands/options: > A.B.C.D Netmask for source IP address > asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 You didn't say what model it was earlier, I thought it was an IOS router. IOS uses wildcard masks, which are the complement of netmasks. -- Barry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group *** | ||||||||||||||||||||||||||||
|
Posted by PL on June 27, 2008, 12:13 pm
Please log in for more thread options I'm sorry, I forgot to mention what device this was, it's an ASA.
On Thu, 26 Jun 2008 22:07:14 -0400, Barry Margolin >
>> Trying to block access from "inside" to "dmz1"...
>> >> interface Ethernet0/1 >> nameif inside >> security-level 100 >> ip address 192.168.1.1 255.255.255.0 >> ! >> interface Ethernet0/2 >> nameif dmz1 >> security-level 2 >> ip address 192.168.2.1 255.255.255.0 >> ! >> access-list acl_outgoing extended deny ip any 192.168.2.0 >> 255.255.255.0 >
>That should be 0.0.0.255. > >> access-list acl_outgoing extended permit ip any any
>> ! >> access-group acl_outgoing in interface inside >> >> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ?? >
>Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a >netmask instead of a wildcard mask. | ||||||||||||||||||||||||||||
| Similar Threads | Posted |
| I can't write ACLs | June 26, 2008, 7:12 pm |
| RANCID show run or write net? | October 20, 2006, 4:04 pm |
| How to write on syslog which users access via RAS. | January 5, 2006, 11:12 am |
| How to write on syslog which users access via RAS. | January 5, 2006, 11:46 am |
| FLASH Write Error #5 on Aironet 350 | November 20, 2006, 8:12 pm |
| I require a UK company / Individual to write me a config. - Willing to pay! | December 4, 2006, 4:14 am |
| Typical Read/Write times for a TCAM | February 15, 2007, 4:55 pm |
| cisco firmware images will not write to floppy | May 13, 2008, 3:33 pm |
| Unable to write new file to NVRAM on 2522 | June 10, 2008, 6:14 am |
| Cisco 3640A: GT64010 Master Write Parity Error | January 15, 2006, 3:14 am |
| WAFS file write issue with WCCP traffic interception | February 28, 2007, 9:32 pm |
| PIX 7.0(4) ACLs | March 7, 2006, 2:44 pm |
| ACLs and NAT | September 6, 2006, 12:41 pm |
| ACLs in PIX 7 and above | October 4, 2007, 3:19 am |
| Bridge with ACLs ??? | March 8, 2006, 2:24 pm |
>
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif dmz1
> security-level 2
> ip address 192.168.2.1 255.255.255.0
> !
> access-list acl_outgoing extended deny ip any 192.168.2.0
> 255.255.255.0