Gerardo Soto wrote:
>
> I am trying to configure my access-list in a way that one specific ip
> address is permitted to establish a comunication with several machines
> within the same class C address ?
> I mean , I have a machine 90.0.0.1 that I would like it permit connections
> to 25 different ip's within that same class C network ( 90.0.0.5 to
> 90.0.0.30 ) . How do I manage to do that ? I know that there is
> somenthing like range or so but I am not very sure . Can anyone help me ?
Well, first, if the machines are on the same router interface and subnet,
the packets aren't going to go through the router. If you're actually on
the same router interface, you'll have to fiddle with subnet masks and
create secondary interfaces to do what you want. However, being as the
machines will be on the same wire, it won't be very secure.
I'll give you instructions for a normal case in which the machine you described
as being at 90.0.0.1 is on a different subnet/router interface (at 91.0.0.1).
Step 1:
Try to align machine addresses on address boundaries that are a multiple
of the number of machines. If you have 8 machines, align on address
0, 8, 16, 24, 32, etc. Machines that are outside the multiple will have
to be handled with extra ACLs which is less CPU efficient, adds
additional administrative overhead, and is more likely to cause mistakes.
Step 2:
Find the maskable ranges in your address space. This will be easier if you
aligned the addresses in Step 1. Your range is 5-30. I find it easier to do
all calculations in octal. Some may feel more comfortable in hex. Most people
will be able to "see" the binary bits better by examination in one of these
two formats. If you don't understand binary/octal/decimal/hex well, you'll
need to do some brushing up on CS/math basics. In octal, the address range
is 5-36.
5 mask = 0
6-7 mask = 1
10-17 mask = 7
20-27 mask = 7
30-33 mask = 3
34-35 mask = 1
36 mask = 0
If you added 90.0.0.31 to the range, you could consolidate:
30-37 mask = 7
Step 3:
Convert back to decimal and plug into ACL statements:
#90.0.0.5
access-list 100 permit ip host 91.0.0.1 host 90.0.0.5
#90.0.0.6 - 90.0.0.7
access-list 100 permit ip host 91.0.0.1 90.0.0.6 0.0.0.1
#90.0.0.8 - 90.0.0.15
access-list 100 permit ip host 91.0.0.1 90.0.0.8 0.0.0.7
#90.0.0.16 - 90.0.0.23
access-list 100 permit ip host 91.0.0.1 90.0.0.16 0.0.0.7
#90.0.0.24 - 90.0.0.27
access-list 100 permit ip host 91.0.0.1 90.0.0.24 0.0.0.3
#90.0.0.28 - 90.0.0.29
access-list 100 permit ip host 91.0.0.1 90.0.0.28 0.0.0.1
#90.0.0.30
access-list 100 permit ip host 91.0.0.1 host 90.0.0.30
In this example, all the masks were less than or equal to seven
which means the octal and decimal values were identical. This
won't always be the case and its easy to forget to convert
(just ask NASA ;)
If you defined the accessible addresses as 90.0.0.0 - 90.0.0.31,
you could do it all with one ACL:
0-37 mask = 37
access-list 100 permit ip host 91.0.0.1 90.0.0.0 0.0.0.31
Gary Flynn
Security Engineer
Technical Services - James Madison University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
