Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACL Headache

Reply
Thread Tools

ACL Headache

 
 
05hammer
Guest
Posts: n/a
 
      05-16-2005
I am running a Catalyst 6509. I have a class C address split into 2
subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.

The upper range of addresses are to be exempt from the ACL so I need a
permit statement at the top of my ACL that permits any address greater
than 43.128 but forces the lower addresses down through the ACL.

I'v tried something like this:

ip access-list extended testme
permit ip any any 192.168.43.129 0.0.0.128
--insert other ACL's here--
permit ip any any 192.168.43.0 0.0.0.128

but it doesn't seem to be working. 43.220 is still logging a deny on
tcp port 445, 135, 137, 111......

When I do a sho run | begin testme, I get this as the first line of the
ACL:

permit ip any any 192.168.43.1 0.0.0.128

It changes 43.129 to 43.1

What am I missing? These wildcard bits are chewing my brain man! I
gotta get this working like this because the upper addresses are part
of a global network and need the ports I am blocking to be accessable
for their address range.

 
Reply With Quote
 
 
 
 
Arnold Nipper
Guest
Posts: n/a
 
      05-16-2005
On 16.05.2005 20:01 05hammer wrote

> I am running a Catalyst 6509. I have a class C address split into 2
> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>
> The upper range of addresses are to be exempt from the ACL so I need a
> permit statement at the top of my ACL that permits any address greater
> than 43.128 but forces the lower addresses down through the ACL.
>
> I'v tried something like this:
>
> ip access-list extended testme
> permit ip any any 192.168.43.129 0.0.0.128


Try

ip access-list extended testme
permit ip any 192.168.43.128 0.0.0.127



Arnold
--
Arnold Nipper, AN45
 
Reply With Quote
 
 
 
 
Doan
Guest
Posts: n/a
 
      05-16-2005
On 16 May 2005, 05hammer wrote:

> I am running a Catalyst 6509. I have a class C address split into 2
> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>
> The upper range of addresses are to be exempt from the ACL so I need a
> permit statement at the top of my ACL that permits any address greater
> than 43.128 but forces the lower addresses down through the ACL.
>
> I'v tried something like this:
>
> ip access-list extended testme
> permit ip any any 192.168.43.129 0.0.0.128
> --insert other ACL's here--
> permit ip any any 192.168.43.0 0.0.0.128
>
> but it doesn't seem to be working. 43.220 is still logging a deny on
> tcp port 445, 135, 137, 111......
>
> When I do a sho run | begin testme, I get this as the first line of the
> ACL:
>
> permit ip any any 192.168.43.1 0.0.0.128
>
> It changes 43.129 to 43.1
>
> What am I missing? These wildcard bits are chewing my brain man! I
> gotta get this working like this because the upper addresses are part
> of a global network and need the ports I am blocking to be accessable
> for their address range.
>


Your wildcard bits are wrong. One easy way to remember is to subtract
the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
becomes 192.168.43.129 0.0.0.127.

Doan



 
Reply With Quote
 
05hammer
Guest
Posts: n/a
 
      05-16-2005
jeesh! I knew that too! I learned it like this - the numbers in the
filter mask are a power of 2 minus 1. So, yeah .127 is the correct
address. I'll go give it a go. Thanks again!

I h8 mondays sometimes!

 
Reply With Quote
 
thrill5
Guest
Posts: n/a
 
      05-17-2005
The wildcards bits are also known as the "bizarro mask"

Scott

"Doan" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On 16 May 2005, 05hammer wrote:
>
>> I am running a Catalyst 6509. I have a class C address split into 2
>> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>>
>> The upper range of addresses are to be exempt from the ACL so I need a
>> permit statement at the top of my ACL that permits any address greater
>> than 43.128 but forces the lower addresses down through the ACL.
>>
>> I'v tried something like this:
>>
>> ip access-list extended testme
>> permit ip any any 192.168.43.129 0.0.0.128
>> --insert other ACL's here--
>> permit ip any any 192.168.43.0 0.0.0.128
>>
>> but it doesn't seem to be working. 43.220 is still logging a deny on
>> tcp port 445, 135, 137, 111......
>>
>> When I do a sho run | begin testme, I get this as the first line of the
>> ACL:
>>
>> permit ip any any 192.168.43.1 0.0.0.128
>>
>> It changes 43.129 to 43.1
>>
>> What am I missing? These wildcard bits are chewing my brain man! I
>> gotta get this working like this because the upper addresses are part
>> of a global network and need the ports I am blocking to be accessable
>> for their address range.
>>

>
> Your wildcard bits are wrong. One easy way to remember is to subtract
> the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
> becomes 192.168.43.129 0.0.0.127.
>
> Doan
>
>
>



 
Reply With Quote
 
anybody43@hotmail.com
Guest
Posts: n/a
 
      05-17-2005
The long term fix to this type of problem is
to use the representation that best fits the problem.
In this case binary representation is the most convenient.

128 = 1000 0000
127 = 0111 1111

It's hard for me to say how much effort
is involved in learning from scratch since I
have been using it regularly for so long now.

Luckily IP V6 is going to make it all much easier.

http://www.faqs.org/rfcs/rfc1924.html

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Sp2 + wifi: new headache Tin Ngo-Minh Wireless Networking 2 11-19-2004 04:03 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
Re: PIX 501 configuration headache Shawn Westerhoff Cisco 0 10-14-2003 11:30 PM
HtmlSelect control is not helping and client side coding became a real headache Suhail A, Salman ASP .Net 0 08-13-2003 10:38 AM



Advertisments