Hello to the list ..
I'm trying to configure an access-list which will on;ly allow access to a specific subnet.
My statement is as follows.
access-list 140 extended permit ip 10.1.10.0 255.255.255.0 10.1.15.0
255.255.255.240The server which i am allowing the access to is in the 0 subnet (0-15).
So the question i have though is can I control only to allow access to that 0 subnet and not all subnets on the /28?
Thanks!
GNY
I don't follow. The access list that you have done only allows access to
10.1.15.0 /28. Isn't that what you want?Chris.
That may be what he wants but thats not what he did.
To the OP, do you know the difference between a netmask and wildcard bits?
Ah, yes. Had my pix head on today. Should be the reverse mask on IOS.
@Rod Yes I do .. I tried using the host bits but it stated that it doesnt pair. So i'm guessing that the combination was wrong?
@Chris Yes this is what i wanted, but i wanted to only allow the access to the 0 subnet, no the whole /28
What do you mean by "the 0 subnet"? Do you want to allow access to
10.1.15.0 /28 (0-15) or not ?access-list 140 permit ip 10.1.10.0 0.0.0.255 10.1.15.0 0.0.0.15
Chris.
@Chris
Sorry if being unclear is fustrating you. I'm sorry.
Yes thats what I want to allow access to. Thats how I tried to write it, but I kept getting the error about the IP and host bits dont pair. hmmm
Whats the ultimate difference between the 2 access-list staements besides missing the "extended".
What I mean by the 0 subnet is the 0-15 network. If I wanted to allow access to only the 16 network it would be.
access-list 140 permit ip 10.1.10.0 0.0.0.255 10.1.15.0 0.0.0.31
Correct?
Thanks Again
GNY
Hi GNY,
If you are using acl numbers 100 to 199 then it's extended anyway.
Then you are doing something wrong!
evil_homer(config)#access-list 140 permit ip 10.1.10.0 0.0.0.255 10.1.15.0
0.0.0.15 evil_homer(config)#^Z evil_homer#sh access-list 140 Extended IP access list 140 10 permit ip 10.1.10.0 0.0.0.255 10.1.15.0 0.0.0.15So 10.1.10.0 0.0.0.15 is correct for this /28 network.
No. That would permit the 10.1.15.0 /27 network. If you want the 10.1.15.16 /28 then it would be
access-list 140 permit ip 10.1.10.0 0.0.0.255 10.1.15.16 0.0.0.15
10.1.15.0 /28 = 10.1.15.0 0.0.0.15 10.1.15.16 /28 = 10.1.15.16 0.0.0.15 10.1.15.32 /28 = 10.1.15.32 0.0.0.15 etc....Hope that helps.
Chris.
Chris,
Yep this clears it all up. It based on the subnets the actual networks are in and the.. ok ok ..
Yep I got it.. Thanks!
GNY
Maybe because my access list is actually a nonat access-group? I still cant get it to jive.
GNY
Is this a router/IOS or a Pix?
Chris.
ASA 5520
GNY
I have figured this out as the ASA and an IOS router are 2 different beats. The ASA uses the full foward subnet mask. An IOS uses the wildcard mask.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.