You don't always want to put the deny at the end. For example, if you want to deny just one subnet, but permit everything else, putting the permit any statement at the beginning would allow the subnet you intended to deny. I know, a lot of permitting and denying going on in that sentence. :)- ""Nathan Nakao"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > CTM, > > First of all, in my experience, writing down exactly what you want to > do really helps. It gives you a visual map of what you want to go > through and what you don't. Second of all (now correct me if I'm wrong) > you want all "deny" statements at the end. That's how I've done it > anyways. After you've figured out all of that, it's just a simple > rewording of the access list. You may also want to keep in mind that > where you place the access list matters (ie if it's an "in" or "out" > access group). > > -Nate > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 12:54 PM > To: [EMAIL PROTECTED] > Subject: Messing up Access Lists [7:54268] > > > I've been trying to optimize communications between two distant routers. > So > far I've managed to lock myself out of the far router three times, folks > over there are getting weary of my mistakes ;-) > > I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the > latter > is physically the same devices multihomed as 192.168.100.0/24. > > I realize my NAT is messed up and I'm wrapping my head around the > literature > pulled from Cisco (led to by links provided by you generous folks). > Looks like I also need to look in depth at access lists. I'm taking baby > steps but am slowly making progress. > > Would love to solicit comments/advice on the following: > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask > 255.255.255.224 > ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload > ip nat inside source static 172.29.10.20 64.172.228.154 > ip nat inside source static 192.168.100.20 64.172.228.132 > ip nat inside source static 192.168.100.135 64.172.228.135 > ip nat inside source static 172.29.20.20 64.172.228.133 > ip classless > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > ip route 172.29.20.0 255.255.255.0 Serial0/1.474 > ip route 172.29.40.0 255.255.255.0 Serial0/1.474 > ! > logging history size 250 > logging history errors > logging facility syslog > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 > access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 > access-list 101 permit ip 192.168.100.0 0.0.0.255 any > access-list 101 permit ip 172.29.10.0 0.0.0.255 any > route-map nonat permit 10
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54274&t=54268 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
