Hi,
I have a C837 and I want to only allow certain IP addresses from the LAN through to the Internet. Do I apply the access-list to the ethernet0 in or the dialer1 out interface? (Or virtual-access2 out which is a clone of dialer1, I believe.)
Thanks, SW
The better way is to block them with an access list on the inside interface. ie.
access-list 101 deny ip host 10.1.1.1 any access-list 101 deny ip host 10.1.1.2 any access-list 101 permit ip any any int e0 ip access-group 101 in
You could of course also exclude them from being NATed but that will essentialy send your privates to the WAN/Internet leak which is a security concern.
-Brian
Thanks, Brian
My config will be more along the lines of
access-list 101 permit ip host 10.1.1.1 any access-list 101 permit ip host 10.1.1.2 any access-list 101 deny ip any any int e0 ip access-group 101 in
But that is the same, as long as I put the permits first, of course!
Just a small query - why have you put "ip host" before the ip address?
Regards,
SW
Without the "host" keyword the commandline expects a wildcard mask after the ip address (or in case of a wilcard mask it is a network address)
for e.g. access-list 101 permit ip 10.1.1.0 0.0.0.255 where all ip traffic from the hosts 10.1.1.1 through 10.1.1.254 to any address will be permitted by this ACL
"ip" refers to the protocol in use, could easily be tcp, udp, icmp, etc.
"host" saves you from having to use a wildcard mask (which acl's use) for a single ip
In the statement: access-list 101 deny ip host 10.1.1.1 any is the same as access-list 101 deny ip 10.1.1.1 0.0.0.0 any
most if not all modern IOS versions will automatically convert the 0.0.0.0 to the keyword host.
-Brian
Thanks, Uli
Thanks, Brian
There was a problem when I applied the ACL to the e0 in interface. I am also using the C837 to set up static routes to divert traffic around the network. But as soon as I prohibited most PCs from getting to the Cisco, they lost their route to the other PCs. Seems like machines need to get past the e0 interface before they can pick up the static route.
Should I therefore set the ACL on the Dialer1 out interface? Or is there a better way?
Thanks,
SW
I wouldn't do it outside. I'd do a permit for them first to the other internal subnets.
Example: Say you have the 10.1.0.0/24 and 10.2.0.0/24 subnets.
access-list 101 permit ip host 10.1.1.1 10.2.0.0 0.0.0.24 access-list 101 deny ip host 10.1.1.1 any access-list 101 permit ip any any
-Brian
The example should read (typo in the wildcard mask):
How would I allow the whole subnet through to another subnet? When I try to put masks on it complains:
access-list 150 permit ip host 192.168.50.0 0.0.0.255 192.168.50.0 _0_.0.0.255
it returns "% Invalid input detected at '^' marker" which is placed where i put the underscore
Thanks again, SW
My turn to make a typo! should read:
access-list 150 permit ip host 192.168.50.0 0.0.0.255 192.168.60.0 _0_.0.0.255
In article , S W wrote: :How would I allow the whole subnet through to another subnet? :When I try to put masks on it complains:
:access-list 150 permit ip host 192.168.50.0 0.0.0.255 192.168.50.0 _0_.0.0.255
: it returns "% Invalid input detected at '^' marker" which is placed where i :put the underscore
Remove the word 'host'.
host X is an alternate way of writing X 0.0.0.0 so your acl entry was equivilent to trying to write
access-list 150 permit ip 192.168.50.0 0.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
SW,
If your trying to make an ACL for a single IP you use the word host. If your trying to allow a subnet then you use a wildcard mask. A wildcard mask is the opposite of a subnet mask, ie 255.255.255.0 = 0.0.0.255, 255.255.255.252 = 0.0.0.3. An easy way to figure out the wildcard mask when using an odd mask is to subtract from 255.255.255.255
ie: 255.255.255.255 -255.255.255.192
---------------------- 0. 0. 0. 63
In your instance wanting to permit the 192.168.50.0 subnet to talk to the
192.168.60.0 subnet (assuming class c's)access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
Don't forget, when applying an ACL there is an implicit deny on the bottom of it, basically an invisible deny ip any any, make sure you have all your permits inplace before applying the ACL to the interface.
-Brian
255.255.255.252
Brian, Thanks for your assistance, Internet access is now more tightly controlled. SW
Walter, Thanks for the help, I've a lot to learn! SW
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.