| Author |
Message |
Captain
Guest
|
 Posted:
Thu Dec 08, 2005 11:52 pm Post subject:
subnets in access lists... |
|
|
I want to block any ip starting with 61 from accessing any one of
17 ips on my network.
I know the following should work, but is there not a more simple
coding that would do the same?
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
access-list 101 permit ip any any |
|
| Back to top |
|
 |
Walter Roberson
Guest
|
| Posted:
Thu Dec 08, 2005 11:52 pm Post subject:
Re: subnets in access lists... |
|
|
In article <tv1hp11tj24c3tm1rfkfpvr08bi2lsjnmm@4ax.com>,
Captain <captain99_1999@yahoo.com> wrote:
| Quote: | Sorry, yes an early IOS running on a Cisco3620.
So if I wanted to block all ips starting with 61 from accessing
all IPs in the following range: a.b.c.64 <---> a.b.c.95
Could I use:
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
access-list 101 permit ip any any
|
Yes.
--
Prototypes are supertypes of their clones. -- maplesoft |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Thu Dec 08, 2005 11:52 pm Post subject:
Re: subnets in access lists... |
|
|
In article <v8sgp1d0atfbl164uis8lu9tifeg4r6poi@4ax.com>,
Captain <captain99_1999@yahoo.com> wrote:
| Quote: | I want to block any ip starting with 61 from accessing any one of
17 ips on my network.
I know the following should work, but is there not a more simple
coding that would do the same?
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
[... up to .20]
access-list 101 permit ip any any
|
It helps if you mention your platform.
In this instance we can deduce that it is likely IOS rather than PIX
because PIX would use 255.0.0.0 for the netmask.
PIX would allow you to create an object group that contained the
destination host addresses, and then to use a single statement to
control access to them...
access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts
I saw a hint that relatively new IOS versions are adding in equivilent
capabilities, but I haven't looked into that.
Other than that, the closest you get to "simpler" is
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
which of course is a nuisance to maintain... if you want to remove
a single host from the list, you could end up having to put in
a fair number of new entries.
--
If you lie to the compiler, it will get its revenge. -- Henry Spencer |
|
| Back to top |
|
|
Captain
Guest
|
| Posted:
Fri Dec 09, 2005 1:25 am Post subject:
Re: subnets in access lists... |
|
|
On Thu, 8 Dec 2005 18:20:24 +0000 (UTC), roberson@ibd.nrc-cnrc.gc.ca
(Walter Roberson) wrote:
| Quote: | In article <v8sgp1d0atfbl164uis8lu9tifeg4r6poi@4ax.com>,
Captain <captain99_1999@yahoo.com> wrote:
I want to block any ip starting with 61 from accessing any one of
17 ips on my network.
I know the following should work, but is there not a more simple
coding that would do the same?
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
[... up to .20]
access-list 101 permit ip any any
It helps if you mention your platform.
In this instance we can deduce that it is likely IOS rather than PIX
because PIX would use 255.0.0.0 for the netmask.
PIX would allow you to create an object group that contained the
destination host addresses, and then to use a single statement to
control access to them...
access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts
I saw a hint that relatively new IOS versions are adding in equivilent
capabilities, but I haven't looked into that.
Other than that, the closest you get to "simpler" is
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
which of course is a nuisance to maintain... if you want to remove
a single host from the list, you could end up having to put in
a fair number of new entries.
/////////////////////////////////////////////////////////////////// |
Sorry, yes an early IOS running on a Cisco3620.
So if I wanted to block all ips starting with 61 from accessing
all IPs in the following range: a.b.c.64 <---> a.b.c.95
Could I use:
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
access-list 101 permit ip any any |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Fri Dec 09, 2005 2:27 am Post subject:
Re: subnets in access lists... |
|
|
On 08.12.2005 18:52 Captain wrote
| Quote: | I want to block any ip starting with 61 from accessing any one of
17 ips on my network.
I know the following should work, but is there not a more simple
coding that would do the same?
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
access-list 101 permit ip any any
|
If you are dealing often with access-lists you may want to have a look
at aggregate (http://www.freshports.org/net-mgmt/aggregate/)
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
Captain
Guest
|
| Posted:
Fri Dec 09, 2005 3:00 am Post subject:
Re: subnets in access lists... |
|
|
On Thu, 8 Dec 2005 20:12:13 +0000 (UTC), roberson@ibd.nrc-cnrc.gc.ca
(Walter Roberson) wrote:
| Quote: | In article <tv1hp11tj24c3tm1rfkfpvr08bi2lsjnmm@4ax.com>,
Captain <captain99_1999@yahoo.com> wrote:
Sorry, yes an early IOS running on a Cisco3620.
So if I wanted to block all ips starting with 61 from accessing
all IPs in the following range: a.b.c.64 <---> a.b.c.95
Could I use:
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
access-list 101 permit ip any any
Yes.
|
Thank you!
It's all making sense now!! |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in