CTM, First of all, in my experience, writing down exactly what you want to do really helps. It gives you a visual map of what you want to go through and what you don't. Second of all (now correct me if I'm wrong) you want all "deny" statements at the end. That's how I've done it anyways. After you've figured out all of that, it's just a simple rewording of the access list. You may also want to keep in mind that where you place the access list matters (ie if it's an "in" or "out" access group).
-Nate -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54273&t=54268 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
