RE: Cisco ACL command

Tue, 4 Jan 2000 22:36:13 -0800 

> -----Original Message-----
> From: Gerardo Soto [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 5 January 2000 6:09 AM
> To: [EMAIL PROTECTED]
> Subject: Cisco ACL command
> 
> 
> Hello:
>       I know this is going to be a dumb question, but anyway here it
> goes:

I've seen dumber. ;)

> 
> I am trying to configure my access-list in a way that one specific ip
> address is permitted to establish a comunication with several machines
> within the same class C address ? 
[snip]
> 
> When I write the word * range* in my access-list I keep 
> getting the marker
> that tells me that it is wrong , for example:
> 
> access-list 199 permit ip 90.0.0.1 range 90.0.0.5 
> 255.255.255.30 any log
> access-list 199 deny   ip any any 

You're not using range correctly - range is for when you want to permit a
range of _ports_ for ip protocols that are port based (eg:
permit tcp host 10.0.0.1 host 10.0.0.2 range 50 100
allows 10.0.0.1 to talk to 10.0.0.2 on tcp ports 50 to 100, but not any
others.

You want to permit a range of addresses - that is just done with the arcane
cisco masking system.

What you want to do looks like this (slack way)

access-list 199 permit ip host 90.0.0.1 90.0.0.1 255.255.255.224

Which allows it to talk to any hosts 90.0.0.1 through to 90.0.0.31.

The non slack way is to do prepend lines like this
access-list 199 deny ip host 90.0.0.1 90.0.0.1 255.255.255.252
(this strips 90.0.0.1,2 and 3)
[ditto] host 90.0.0.4
[ditto] host 90.0.0.31

I might have some off by one errors there somewhere, so check this around
the borders before you run it on a production system - this is off the top
of my head.

One caveat - you could get routing weirdness. For ACLs to work, packets need
to pass THROUGH the router. For what you're describing to work, the route
for 90.0.0.1/32 will have to be more specific than and on a different
interface than the route to 90.0.0.x/24.

> 
>       Any help will be deeply appreciated !!!
> 
> **************************************************************
> *****************
> Ing. Gerardo Soto Casados
> Compu-Redes

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to