Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > subnets in access lists...

Reply
Thread Tools

subnets in access lists...

 
 
Captain
Guest
Posts: n/a
 
      12-08-2005
I want to block any ip starting with 61 from accessing any one of
17 ips on my network.

I know the following should work, but is there not a more simple
coding that would do the same?

access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
access-list 101 permit ip any any

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-08-2005
In article <(E-Mail Removed)>,
Captain <(E-Mail Removed)> wrote:
>I want to block any ip starting with 61 from accessing any one of
>17 ips on my network.


>I know the following should work, but is there not a more simple
>coding that would do the same?


>access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4

[... up to .20]
>access-list 101 permit ip any any


It helps if you mention your platform.

In this instance we can deduce that it is likely IOS rather than PIX
because PIX would use 255.0.0.0 for the netmask.

PIX would allow you to create an object group that contained the
destination host addresses, and then to use a single statement to
control access to them...

access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts

I saw a hint that relatively new IOS versions are adding in equivilent
capabilities, but I haven't looked into that.

Other than that, the closest you get to "simpler" is

access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20

which of course is a nuisance to maintain... if you want to remove
a single host from the list, you could end up having to put in
a fair number of new entries.
--
If you lie to the compiler, it will get its revenge. -- Henry Spencer
 
Reply With Quote
 
 
 
 
Captain
Guest
Posts: n/a
 
      12-08-2005
On Thu, 8 Dec 2005 18:20:24 +0000 (UTC), http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca
(Walter Roberson) wrote:

>In article <(E-Mail Removed)>,
>Captain <(E-Mail Removed)> wrote:
>>I want to block any ip starting with 61 from accessing any one of
>>17 ips on my network.

>
>>I know the following should work, but is there not a more simple
>>coding that would do the same?

>
>>access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4

>[... up to .20]
>>access-list 101 permit ip any any

>
>It helps if you mention your platform.
>
>In this instance we can deduce that it is likely IOS rather than PIX
>because PIX would use 255.0.0.0 for the netmask.
>
>PIX would allow you to create an object group that contained the
>destination host addresses, and then to use a single statement to
>control access to them...
>
>access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts
>
>I saw a hint that relatively new IOS versions are adding in equivilent
>capabilities, but I haven't looked into that.
>
>Other than that, the closest you get to "simpler" is
>
>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
>access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
>
>which of course is a nuisance to maintain... if you want to remove
>a single host from the list, you could end up having to put in
>a fair number of new entries.

///////////////////////////////////////////////////////////////////

Sorry, yes an early IOS running on a Cisco3620.

So if I wanted to block all ips starting with 61 from accessing
all IPs in the following range: a.b.c.64 <---> a.b.c.95
Could I use:

access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
access-list 101 permit ip any any




 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-08-2005
In article <(E-Mail Removed)>,
Captain <(E-Mail Removed)> wrote:
>Sorry, yes an early IOS running on a Cisco3620.


>So if I wanted to block all ips starting with 61 from accessing
>all IPs in the following range: a.b.c.64 <---> a.b.c.95
>Could I use:


>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
>access-list 101 permit ip any any


Yes.
--
Prototypes are supertypes of their clones. -- maplesoft
 
Reply With Quote
 
Arnold Nipper
Guest
Posts: n/a
 
      12-08-2005
On 08.12.2005 18:52 Captain wrote

> I want to block any ip starting with 61 from accessing any one of
> 17 ips on my network.
>
> I know the following should work, but is there not a more simple
> coding that would do the same?
>
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
> access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
> access-list 101 permit ip any any
>


If you are dealing often with access-lists you may want to have a look
at aggregate (http://www.freshports.org/net-mgmt/aggregate/)




Arnold
--
Arnold Nipper, AN45
 
Reply With Quote
 
Captain
Guest
Posts: n/a
 
      12-08-2005
On Thu, 8 Dec 2005 20:12:13 +0000 (UTC), (E-Mail Removed)-cnrc.gc.ca
(Walter Roberson) wrote:

>In article <(E-Mail Removed)>,
>Captain <(E-Mail Removed)> wrote:
>>Sorry, yes an early IOS running on a Cisco3620.

>
>>So if I wanted to block all ips starting with 61 from accessing
>>all IPs in the following range: a.b.c.64 <---> a.b.c.95
>>Could I use:

>
>>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
>>access-list 101 permit ip any any

>
>Yes.


Thank you!

It's all making sense now!!


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: What's better a few big subnets or several smaller subnets? jfalken@socket.net Cisco 4 08-29-2008 11:33 AM
PIX 506 VPN allow access only to specific subnets based on username John Mason Jr Cisco 0 01-24-2006 12:00 AM
limit access of interface to other subnets jcharth@hotmail.com Cisco 0 12-17-2005 03:59 PM
PPTP Client Cant access other internal Subnets when connecting to PIX Scott Townsend Cisco 1 09-23-2004 07:53 PM
Cisco VPN client access subnets connected by PIX vpn??? Oliver Cisco 2 11-13-2003 09:14 AM



Advertisments