| Author |
Access-list Question
|
|
|
| Hi,
I hope someone can help me.
I made an access-list to block a host with an ip address of 172.16.30.2 255.255.255.0. I created the access-list as:
"access-list 10 deny 172.16.30.2 0.0.0.0". I did not add any permit statement. I apply it to RouterB interface S1 outbound (I have included a picture).
I know that I should at least include one permit statement. But the funny thing is that the access-list works if I don't add the permit statement. And it doesn't work if I add the permit statement.
I'm using Todd Lammle's Virtual lab for the 640-507 version. Did I do something wrong?
Thanks | |
| Imran4sin 2003-04-02, 8:21 pm |
| Are you tryn to deny at particular host(ip address) or class of host meaning class C address.
The mask that you used will deny "172.16.30.2" particular address.
And you should hhave permit statements after this.
"access-list 10 permit any any"
else by default every one will be blocked.
Let me know if this is waht u r tryn to do.
Cheers. | |
|
| I'm trying to deny just 172.16.30.2.
Should I have use "access-list 10 deny 172.16.30.2"?
What's the difference between:
"access-list 10 permit any" and "access-list 10 permit any any"?
Thanks again | |
| edmonds_robert 2003-04-03, 7:15 am |
| The difference between the two is that the second one isn't a valid syntax for a standard access-list. You will need to use an extended access-list to filter based based on source and destination address.
access-list 100 permit ip any any | |
| darronb 2003-04-03, 7:47 am |
| If you are installing access lists you have to insert them in the same order as they will be exicuted in the router
I.E.
access-list 1 deny host 172.16.30.2
Then
access-list 1 permit any
if you have access lists already in the router (access-list 1) then you will need to remove them first.
using a TFTP server to save the config to the PC then edit it is a less clumbersome method.
Hope this helps. | |
|
| Okay, but my question is:
I'm trying to just deny 172.16.30.2 to network 172.16.55.0 255.255.255.0, so should I use access-list 10 deny 172.16.30.2 0.0.0.0, access-list 10 permit any then apply it to int S1 outbound (please see doc attachment on the 1st post to see what I mean)?
Thanks | |
| djmaplethorpe 2003-04-03, 4:20 pm |
| I think from what I am reading you are looking at the wrong type of access-list. A Standard access list can deny or permit packets by source address only and permit or deny an entire TCP/IP protocol suite. I think what you are trying to do would constitute an Extended Access-list. Check this site out that I was referred to and see if it helps.
Good Luck
http://www.sans.org/rr/netdevices/easy_steps.php | |
| Imran4sin 2003-04-04, 3:26 pm |
| You still need the Standard Access list.
fOLLOW these steps:-
router(config)#access-list 1 deny host 172.16.30.2
/* we use keyword host whc means that wild card is 0.0.0.0 */
router(config)#access-list 1 permit any
/*this is used so other traffic can still keep alive, now place it on the itnerface of the destination router..assuming it is rotuer C */
routerC(config)#int s0
routerC(config-if)#ip access-group 1 out
/*
after applyin all this .. try pingin in .. it should be denied .. otherwise change the direction of list applied to in.
*/
I hope this helps.
Cu. | |
| edmonds_robert 2003-04-04, 3:42 pm |
| If you are trying to prevent traffic from 172.16.30.2 from getting to the subnet 172.16.55.0, just apply an inbound extended access-list on router C, or an outbound standard access-list on router C's token ring interface.
The first would look like this:
access-list 100 deny ip host 172.16.30.2 172.16.55.0 0.0.0.255
access-list 100 permit ip any any
int s0
ip access-group 100 in
The second would look like this:
access-list 1 deny host 172.16.30.2
access-list 1 permit any
int to0
ip access-group 1 out
You could also apply a similar access-list to router B's serial interface using the command outlined by imran4sin. | |
| Imran4sin 2003-04-04, 4:04 pm |
| hi <edmonds_robert>,
dude dont we need to specify the protocol being filtered in extended ACL. U are denying ip but dont we need to specify "eq ftp/ 21 or http/80 " option ??
or does denying ip take care of that.. since ftp/ http are appliction layer protocols.
What im tryn say is DOnt we specify the "eq xx" or is that optional!!
Also is this a typo under 2nd ACL!!
quote:
access-list 1 permit any
int to0
ip access-group 1 out
cheers. | |
| edmonds_robert 2003-04-04, 4:39 pm |
| That is optional. If you only want to permit or deny certain protocols, then you would use the port numbers, along with tcp or udp. | |
| Imran4sin 2003-04-04, 4:57 pm |
| cheers bud. | |
| darronb 2003-04-05, 4:02 am |
| You would put the Extended access-list inbound on E0 of Router B. This would minimise thr traffic on the network. | |
|
| I think there is a bug in my Sybex Virtual Lab. Although I followed the lab instructions and Imran's and Edmond's suggestions, the damn thing still doesn't work.
Thanks anyways. | |
| jnierman 2003-04-09, 5:43 pm |
| You would place standard ip access-list at the destination and ip extended access-list at the source. Just as darronb
stated. |
|
|
|