I have a C837 and I want to only allow certain IP addresses from the LAN through to the Internet. Do I apply the access-list to the ethernet0 in or the dialer1 out interface? (Or virtual-access2 out which is a clone of dialer1, I believe.)
The better way is to block them with an access list on the inside interface. ie.
access-list 101 deny ip host 10.1.1.1 any access-list 101 deny ip host 10.1.1.2 any access-list 101 permit ip any any int e0 ip access-group 101 in
You could of course also exclude them from being NATed but that will essentialy send your privates to the WAN/Internet leak which is a security concern.
Without the "host" keyword the commandline expects a wildcard mask after the ip address (or in case of a wilcard mask it is a network address)
for e.g. access-list 101 permit ip 10.1.1.0 0.0.0.255 where all ip traffic from the hosts 10.1.1.1 through 10.1.1.254 to any address will be permitted by this ACL
There was a problem when I applied the ACL to the e0 in interface. I am also using the C837 to set up static routes to divert traffic around the network. But as soon as I prohibited most PCs from getting to the Cisco, they lost their route to the other PCs. Seems like machines need to get past the e0 interface before they can pick up the static route.
Should I therefore set the ACL on the Dialer1 out interface? Or is there a better way?
If your trying to make an ACL for a single IP you use the word host. If your trying to allow a subnet then you use a wildcard mask. A wildcard mask is the opposite of a subnet mask, ie 255.255.255.0 = 0.0.0.255, 255.255.255.252 = 0.0.0.3. An easy way to figure out the wildcard mask when using an odd mask is to subtract from 255.255.255.255
ie: 255.255.255.255 -255.255.255.192
---------------------- 0. 0. 0. 63
In your instance wanting to permit the 192.168.50.0 subnet to talk to the
192.168.60.0 subnet (assuming class c's)
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
Don't forget, when applying an ACL there is an implicit deny on the bottom of it, basically an invisible deny ip any any, make sure you have all your permits inplace before applying the ACL to the interface.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.