ACL Headache

Discussion in 'Cisco' started by 05hammer, May 16, 2005.

  1. 05hammer

    05hammer Guest

    I am running a Catalyst 6509. I have a class C address split into 2
    subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.

    The upper range of addresses are to be exempt from the ACL so I need a
    permit statement at the top of my ACL that permits any address greater
    than 43.128 but forces the lower addresses down through the ACL.

    I'v tried something like this:

    ip access-list extended testme
    permit ip any any 192.168.43.129 0.0.0.128
    --insert other ACL's here--
    permit ip any any 192.168.43.0 0.0.0.128

    but it doesn't seem to be working. 43.220 is still logging a deny on
    tcp port 445, 135, 137, 111......

    When I do a sho run | begin testme, I get this as the first line of the
    ACL:

    permit ip any any 192.168.43.1 0.0.0.128

    It changes 43.129 to 43.1

    What am I missing? These wildcard bits are chewing my brain man! I
    gotta get this working like this because the upper addresses are part
    of a global network and need the ports I am blocking to be accessable
    for their address range.
     
    05hammer, May 16, 2005
    #1
    1. Advertising

  2. On 16.05.2005 20:01 05hammer wrote

    > I am running a Catalyst 6509. I have a class C address split into 2
    > subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >
    > The upper range of addresses are to be exempt from the ACL so I need a
    > permit statement at the top of my ACL that permits any address greater
    > than 43.128 but forces the lower addresses down through the ACL.
    >
    > I'v tried something like this:
    >
    > ip access-list extended testme
    > permit ip any any 192.168.43.129 0.0.0.128


    Try

    ip access-list extended testme
    permit ip any 192.168.43.128 0.0.0.127



    Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, May 16, 2005
    #2
    1. Advertising

  3. 05hammer

    Doan Guest

    On 16 May 2005, 05hammer wrote:

    > I am running a Catalyst 6509. I have a class C address split into 2
    > subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >
    > The upper range of addresses are to be exempt from the ACL so I need a
    > permit statement at the top of my ACL that permits any address greater
    > than 43.128 but forces the lower addresses down through the ACL.
    >
    > I'v tried something like this:
    >
    > ip access-list extended testme
    > permit ip any any 192.168.43.129 0.0.0.128
    > --insert other ACL's here--
    > permit ip any any 192.168.43.0 0.0.0.128
    >
    > but it doesn't seem to be working. 43.220 is still logging a deny on
    > tcp port 445, 135, 137, 111......
    >
    > When I do a sho run | begin testme, I get this as the first line of the
    > ACL:
    >
    > permit ip any any 192.168.43.1 0.0.0.128
    >
    > It changes 43.129 to 43.1
    >
    > What am I missing? These wildcard bits are chewing my brain man! I
    > gotta get this working like this because the upper addresses are part
    > of a global network and need the ports I am blocking to be accessable
    > for their address range.
    >


    Your wildcard bits are wrong. One easy way to remember is to subtract
    the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
    becomes 192.168.43.129 0.0.0.127.

    Doan
     
    Doan, May 16, 2005
    #3
  4. 05hammer

    05hammer Guest

    jeesh! I knew that too! I learned it like this - the numbers in the
    filter mask are a power of 2 minus 1. So, yeah .127 is the correct
    address. I'll go give it a go. Thanks again!

    I h8 mondays sometimes!
     
    05hammer, May 16, 2005
    #4
  5. 05hammer

    thrill5 Guest

    The wildcards bits are also known as the "bizarro mask" :)

    Scott

    "Doan" <> wrote in message
    news:p...
    > On 16 May 2005, 05hammer wrote:
    >
    >> I am running a Catalyst 6509. I have a class C address split into 2
    >> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >>
    >> The upper range of addresses are to be exempt from the ACL so I need a
    >> permit statement at the top of my ACL that permits any address greater
    >> than 43.128 but forces the lower addresses down through the ACL.
    >>
    >> I'v tried something like this:
    >>
    >> ip access-list extended testme
    >> permit ip any any 192.168.43.129 0.0.0.128
    >> --insert other ACL's here--
    >> permit ip any any 192.168.43.0 0.0.0.128
    >>
    >> but it doesn't seem to be working. 43.220 is still logging a deny on
    >> tcp port 445, 135, 137, 111......
    >>
    >> When I do a sho run | begin testme, I get this as the first line of the
    >> ACL:
    >>
    >> permit ip any any 192.168.43.1 0.0.0.128
    >>
    >> It changes 43.129 to 43.1
    >>
    >> What am I missing? These wildcard bits are chewing my brain man! I
    >> gotta get this working like this because the upper addresses are part
    >> of a global network and need the ports I am blocking to be accessable
    >> for their address range.
    >>

    >
    > Your wildcard bits are wrong. One easy way to remember is to subtract
    > the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
    > becomes 192.168.43.129 0.0.0.127.
    >
    > Doan
    >
    >
    >
     
    thrill5, May 17, 2005
    #5
  6. 05hammer

    Guest

    The long term fix to this type of problem is
    to use the representation that best fits the problem.
    In this case binary representation is the most convenient.

    128 = 1000 0000
    127 = 0111 1111

    It's hard for me to say how much effort
    is involved in learning from scratch since I
    have been using it regularly for so long now.

    Luckily IP V6 is going to make it all much easier.

    http://www.faqs.org/rfcs/rfc1924.html
     
    , May 17, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tin Ngo-Minh

    Sp2 + wifi: new headache

    Tin Ngo-Minh, Nov 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    663
  2. Shawn Westerhoff

    Re: PIX 501 configuration headache

    Shawn Westerhoff, Oct 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    519
    Shawn Westerhoff
    Oct 15, 2003
  3. Shad T
    Replies:
    0
    Views:
    671
    Shad T
    Jun 29, 2004
  4. Boris Badenuff

    Slackware 7.0 FIPS headache

    Boris Badenuff, Jul 22, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    787
    Boris Badenuff
    Jul 24, 2003
  5. Vimokh
    Replies:
    3
    Views:
    5,744
    Vimokh
    Sep 6, 2006
Loading...

Share This Page