subnets in access lists...

Discussion in 'Cisco' started by Captain, Dec 8, 2005.

  1. Captain

    Captain Guest

    I want to block any ip starting with 61 from accessing any one of
    17 ips on my network.

    I know the following should work, but is there not a more simple
    coding that would do the same?

    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
    access-list 101 permit ip any any
     
    Captain, Dec 8, 2005
    #1
    1. Advertising

  2. In article <>,
    Captain <> wrote:
    >I want to block any ip starting with 61 from accessing any one of
    >17 ips on my network.


    >I know the following should work, but is there not a more simple
    >coding that would do the same?


    >access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4

    [... up to .20]
    >access-list 101 permit ip any any


    It helps if you mention your platform.

    In this instance we can deduce that it is likely IOS rather than PIX
    because PIX would use 255.0.0.0 for the netmask.

    PIX would allow you to create an object group that contained the
    destination host addresses, and then to use a single statement to
    control access to them...

    access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts

    I saw a hint that relatively new IOS versions are adding in equivilent
    capabilities, but I haven't looked into that.

    Other than that, the closest you get to "simpler" is

    access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
    access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
    access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
    access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20

    which of course is a nuisance to maintain... if you want to remove
    a single host from the list, you could end up having to put in
    a fair number of new entries.
    --
    If you lie to the compiler, it will get its revenge. -- Henry Spencer
     
    Walter Roberson, Dec 8, 2005
    #2
    1. Advertising

  3. Captain

    Captain Guest

    On Thu, 8 Dec 2005 18:20:24 +0000 (UTC), -cnrc.gc.ca
    (Walter Roberson) wrote:

    >In article <>,
    >Captain <> wrote:
    >>I want to block any ip starting with 61 from accessing any one of
    >>17 ips on my network.

    >
    >>I know the following should work, but is there not a more simple
    >>coding that would do the same?

    >
    >>access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4

    >[... up to .20]
    >>access-list 101 permit ip any any

    >
    >It helps if you mention your platform.
    >
    >In this instance we can deduce that it is likely IOS rather than PIX
    >because PIX would use 255.0.0.0 for the netmask.
    >
    >PIX would allow you to create an object group that contained the
    >destination host addresses, and then to use a single statement to
    >control access to them...
    >
    >access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts
    >
    >I saw a hint that relatively new IOS versions are adding in equivilent
    >capabilities, but I haven't looked into that.
    >
    >Other than that, the closest you get to "simpler" is
    >
    >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3
    >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7
    >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3
    >access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
    >
    >which of course is a nuisance to maintain... if you want to remove
    >a single host from the list, you could end up having to put in
    >a fair number of new entries.

    ///////////////////////////////////////////////////////////////////

    Sorry, yes an early IOS running on a Cisco3620.

    So if I wanted to block all ips starting with 61 from accessing
    all IPs in the following range: a.b.c.64 <---> a.b.c.95
    Could I use:

    access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
    access-list 101 permit ip any any
     
    Captain, Dec 8, 2005
    #3
  4. In article <>,
    Captain <> wrote:
    >Sorry, yes an early IOS running on a Cisco3620.


    >So if I wanted to block all ips starting with 61 from accessing
    >all IPs in the following range: a.b.c.64 <---> a.b.c.95
    >Could I use:


    >access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
    >access-list 101 permit ip any any


    Yes.
    --
    Prototypes are supertypes of their clones. -- maplesoft
     
    Walter Roberson, Dec 8, 2005
    #4
  5. On 08.12.2005 18:52 Captain wrote

    > I want to block any ip starting with 61 from accessing any one of
    > 17 ips on my network.
    >
    > I know the following should work, but is there not a more simple
    > coding that would do the same?
    >
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.4
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.5
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.6
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.7
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.8
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.9
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.10
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.11
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.12
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.13
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.14
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.15
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.16
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.17
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.18
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.19
    > access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20
    > access-list 101 permit ip any any
    >


    If you are dealing often with access-lists you may want to have a look
    at aggregate (http://www.freshports.org/net-mgmt/aggregate/)




    Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, Dec 8, 2005
    #5
  6. Captain

    Captain Guest

    On Thu, 8 Dec 2005 20:12:13 +0000 (UTC), -cnrc.gc.ca
    (Walter Roberson) wrote:

    >In article <>,
    >Captain <> wrote:
    >>Sorry, yes an early IOS running on a Cisco3620.

    >
    >>So if I wanted to block all ips starting with 61 from accessing
    >>all IPs in the following range: a.b.c.64 <---> a.b.c.95
    >>Could I use:

    >
    >>access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31
    >>access-list 101 permit ip any any

    >
    >Yes.


    Thank you!

    It's all making sense now!!
     
    Captain, Dec 8, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oliver
    Replies:
    2
    Views:
    1,631
    Oliver
    Nov 13, 2003
  2. Scott Townsend
    Replies:
    1
    Views:
    930
  3. Replies:
    0
    Views:
    434
  4. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    506
    VWWall
    Oct 21, 2004
  5. Replies:
    4
    Views:
    1,473
    Trendkill
    Aug 29, 2008
Loading...

Share This Page