subnets in access lists...
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Captain on December 8, 2005, 12:52 pm
Please log in for more thread options 17 ips on my network. I know the following should work, but is there not a more simple coding that would do the same? access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20 access-list 101 permit ip any any | ||||||||||||||||||||||
|
Posted by Walter Roberson on December 8, 2005, 1:20 pm
Please log in for more thread options >I know the following should work, but is there not a more simple
>coding that would do the same? >access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
[... up to .20]
>access-list 101 permit ip any any
It helps if you mention your platform. In this instance we can deduce that it is likely IOS rather than PIX because PIX would use 255.0.0.0 for the netmask. PIX would allow you to create an object group that contained the destination host addresses, and then to use a single statement to control access to them... access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts I saw a hint that relatively new IOS versions are adding in equivilent capabilities, but I haven't looked into that. Other than that, the closest you get to "simpler" is access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3 access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7 access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20 which of course is a nuisance to maintain... if you want to remove a single host from the list, you could end up having to put in a fair number of new entries. -- If you lie to the compiler, it will get its revenge. -- Henry Spencer | ||||||||||||||||||||||
|
Posted by Captain on December 8, 2005, 2:25 pm
Please log in for more thread options On Thu, 8 Dec 2005 18:20:24 +0000 (UTC), roberson@ibd.nrc-cnrc.gc.ca
(Walter Roberson) wrote: >>I want to block any ip starting with 61 from accessing any one of
>>17 ips on my network. >
>>I know the following should work, but is there not a more simple
>>coding that would do the same? >
>>access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
>[... up to .20]
>>access-list 101 permit ip any any
>
///////////////////////////////////////////////////////////////////
>It helps if you mention your platform. > >In this instance we can deduce that it is likely IOS rather than PIX >because PIX would use 255.0.0.0 for the netmask. > >PIX would allow you to create an object group that contained the >destination host addresses, and then to use a single statement to >control access to them... > >access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts > >I saw a hint that relatively new IOS versions are adding in equivilent >capabilities, but I haven't looked into that. > >Other than that, the closest you get to "simpler" is > >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3 >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7 >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3 >access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20 > >which of course is a nuisance to maintain... if you want to remove >a single host from the list, you could end up having to put in >a fair number of new entries. Sorry, yes an early IOS running on a Cisco3620. So if I wanted to block all ips starting with 61 from accessing all IPs in the following range: a.b.c.64 <---> a.b.c.95
Could I use:
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31 access-list 101 permit ip any any | ||||||||||||||||||||||
|
Posted by Walter Roberson on December 8, 2005, 3:12 pm
Please log in for more thread options >Sorry, yes an early IOS running on a Cisco3620.
>So if I wanted to block all ips starting with 61 from accessing
>all IPs in the following range: a.b.c.64 <---> a.b.c.95 >Could I use: >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
>access-list 101 permit ip any any Yes. -- Prototypes are supertypes of their clones. -- maplesoft | ||||||||||||||||||||||
|
Posted by Captain on December 8, 2005, 4:00 pm
Please log in for more thread options On Thu, 8 Dec 2005 20:12:13 +0000 (UTC), roberson@ibd.nrc-cnrc.gc.ca
(Walter Roberson) wrote: >>Sorry, yes an early IOS running on a Cisco3620.
>
>>So if I wanted to block all ips starting with 61 from accessing
>>all IPs in the following range: a.b.c.64 <---> a.b.c.95 >>Could I use: >
>>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
>>access-list 101 permit ip any any >
>Yes. Thank you! It's all making sense now!! | ||||||||||||||||||||||
| Similar Threads | Posted |
| subnets in access lists... | December 8, 2005, 12:52 pm |
| Access lists | November 13, 2007, 6:42 am |
| Different access-lists for VPN clients in a PIX | August 30, 2005, 11:18 am |
| access-lists URGENT | January 9, 2006, 11:29 am |
| ACCESS CONTROL LiSTS | August 16, 2006, 11:00 pm |
| Deny Access Lists | September 11, 2007, 6:42 pm |
| PIX access-lists and static NAT | October 15, 2007, 3:41 pm |
| Pix access control lists | November 9, 2007, 11:41 am |
| Cisco PIX VPN access-lists | June 16, 2008, 1:18 pm |
| Access Control Lists - What Don't I Understand | July 11, 2005, 3:53 pm |
| Simple question about access lists | June 1, 2006, 4:55 pm |
| Easy IPSEC Access Lists | July 11, 2006, 5:27 am |
| FWSM reflexive access lists | March 6, 2008, 9:30 am |
| Is there a "dry run" mode for access lists before apply | May 22, 2008, 6:47 am |
| cisco access lists blocked packets | September 23, 2005, 7:05 am |
>17 ips on my network.