ACL Headache

Discussion in 'Cisco' started by 05hammer, May 16, 2005.

  1. 05hammer

    05hammer Guest

    I am running a Catalyst 6509. I have a class C address split into 2
    subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.

    The upper range of addresses are to be exempt from the ACL so I need a
    permit statement at the top of my ACL that permits any address greater
    than 43.128 but forces the lower addresses down through the ACL.

    I'v tried something like this:

    ip access-list extended testme
    permit ip any any 192.168.43.129 0.0.0.128
    --insert other ACL's here--
    permit ip any any 192.168.43.0 0.0.0.128

    but it doesn't seem to be working. 43.220 is still logging a deny on
    tcp port 445, 135, 137, 111......

    When I do a sho run | begin testme, I get this as the first line of the
    ACL:

    permit ip any any 192.168.43.1 0.0.0.128

    It changes 43.129 to 43.1

    What am I missing? These wildcard bits are chewing my brain man! I
    gotta get this working like this because the upper addresses are part
    of a global network and need the ports I am blocking to be accessable
    for their address range.
     
    05hammer, May 16, 2005
    #1
    1. Advertisements

  2. On 16.05.2005 20:01 05hammer wrote

    > I am running a Catalyst 6509. I have a class C address split into 2
    > subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >
    > The upper range of addresses are to be exempt from the ACL so I need a
    > permit statement at the top of my ACL that permits any address greater
    > than 43.128 but forces the lower addresses down through the ACL.
    >
    > I'v tried something like this:
    >
    > ip access-list extended testme
    > permit ip any any 192.168.43.129 0.0.0.128


    Try

    ip access-list extended testme
    permit ip any 192.168.43.128 0.0.0.127



    Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, May 16, 2005
    #2
    1. Advertisements

  3. Doan

    Doan Guest

    On 16 May 2005, 05hammer wrote:

    > I am running a Catalyst 6509. I have a class C address split into 2
    > subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >
    > The upper range of addresses are to be exempt from the ACL so I need a
    > permit statement at the top of my ACL that permits any address greater
    > than 43.128 but forces the lower addresses down through the ACL.
    >
    > I'v tried something like this:
    >
    > ip access-list extended testme
    > permit ip any any 192.168.43.129 0.0.0.128
    > --insert other ACL's here--
    > permit ip any any 192.168.43.0 0.0.0.128
    >
    > but it doesn't seem to be working. 43.220 is still logging a deny on
    > tcp port 445, 135, 137, 111......
    >
    > When I do a sho run | begin testme, I get this as the first line of the
    > ACL:
    >
    > permit ip any any 192.168.43.1 0.0.0.128
    >
    > It changes 43.129 to 43.1
    >
    > What am I missing? These wildcard bits are chewing my brain man! I
    > gotta get this working like this because the upper addresses are part
    > of a global network and need the ports I am blocking to be accessable
    > for their address range.
    >


    Your wildcard bits are wrong. One easy way to remember is to subtract
    the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
    becomes 192.168.43.129 0.0.0.127.

    Doan
     
    Doan, May 16, 2005
    #3
  4. 05hammer

    05hammer Guest

    jeesh! I knew that too! I learned it like this - the numbers in the
    filter mask are a power of 2 minus 1. So, yeah .127 is the correct
    address. I'll go give it a go. Thanks again!

    I h8 mondays sometimes!
     
    05hammer, May 16, 2005
    #4
  5. thrill5

    thrill5 Guest

    The wildcards bits are also known as the "bizarro mask" :)

    Scott

    "Doan" <> wrote in message
    news:p...
    > On 16 May 2005, 05hammer wrote:
    >
    >> I am running a Catalyst 6509. I have a class C address split into 2
    >> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
    >>
    >> The upper range of addresses are to be exempt from the ACL so I need a
    >> permit statement at the top of my ACL that permits any address greater
    >> than 43.128 but forces the lower addresses down through the ACL.
    >>
    >> I'v tried something like this:
    >>
    >> ip access-list extended testme
    >> permit ip any any 192.168.43.129 0.0.0.128
    >> --insert other ACL's here--
    >> permit ip any any 192.168.43.0 0.0.0.128
    >>
    >> but it doesn't seem to be working. 43.220 is still logging a deny on
    >> tcp port 445, 135, 137, 111......
    >>
    >> When I do a sho run | begin testme, I get this as the first line of the
    >> ACL:
    >>
    >> permit ip any any 192.168.43.1 0.0.0.128
    >>
    >> It changes 43.129 to 43.1
    >>
    >> What am I missing? These wildcard bits are chewing my brain man! I
    >> gotta get this working like this because the upper addresses are part
    >> of a global network and need the ports I am blocking to be accessable
    >> for their address range.
    >>

    >
    > Your wildcard bits are wrong. One easy way to remember is to subtract
    > the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
    > becomes 192.168.43.129 0.0.0.127.
    >
    > Doan
    >
    >
    >
     
    thrill5, May 17, 2005
    #5
  6. Guest

    The long term fix to this type of problem is
    to use the representation that best fits the problem.
    In this case binary representation is the most convenient.

    128 = 1000 0000
    127 = 0111 1111

    It's hard for me to say how much effort
    is involved in learning from scratch since I
    have been using it regularly for so long now.

    Luckily IP V6 is going to make it all much easier.

    http://www.faqs.org/rfcs/rfc1924.html
     
    , May 17, 2005
    #6
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tin Ngo-Minh

    Sp2 + wifi: new headache

    Tin Ngo-Minh, Nov 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    840
  2. Shawn Westerhoff

    Re: PIX 501 configuration headache

    Shawn Westerhoff, Oct 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    679
    Shawn Westerhoff
    Oct 15, 2003
  3. Shad T
    Replies:
    0
    Views:
    1,427
    Shad T
    Jun 29, 2004
  4. Boris Badenuff

    Slackware 7.0 FIPS headache

    Boris Badenuff, Jul 22, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    1,095
    Boris Badenuff
    Jul 24, 2003
  5. Vimokh
    Replies:
    3
    Views:
    6,749
    Vimokh
    Sep 6, 2006
Loading...