Access-List Trouble

[Nightcrawler]

I have a access-list I wise to create. I have machines 10.1.21.30 to 10.1.21.35 and I want to permit them only on the access list - so I create the following..
access-list 100 permit tcp 10.1.21.30 0.0.0.5 any

when I save this to memory and review it says
access-list 100 permit tcp 10.1.21.26 0.0.0.5 any ??

So I thought that maybe it was counting backwards... so amended my statment to

access-list 100 permit tcp 10.1.21.34 0.0.0.5 any
again when I reviewed this it now stated that that statment.. why ?? anyone any ideas ?? Thanks Ed

 

[jeter]

I tried your access list on my test router and I do not have any trouble with it. What router and what IOS are you using?

ip classless
no ip http server
!
access-list 100 permit tcp 10.1.21.34 0.0.0.5 any
!
line con 0
end

Jeter@LasVegas.com
J.Fisher CCNA

 

[Nightcrawler]

Hiya,

Yes as I stated the line

access-list 100 permit tcp 10.1.21.34 0.0.0.5 any

works fine. BUt I am needing to get machines 10.1.21.30 to 10.1.21.35 which the above wont do. SO I tried to say the following

access-list 100 permit tcp 10.1.21.30 0.0.0.5 any

but this doesnt work....

I have IOS 12.2on a Cisco 3660 router so it should work on yours to....

Cisco say :

The masks must be contiguous, so you
will need two access-lists:

permit tcp 10.1.21.30 0.0.0.1
permit tcp 10.1.21.32 0.0.0.3

But I dont quite understand that ???

THanks for the help

Ed

 

[DanielBowen]

what subnet mask are you using, is it 255.255.255.248?

 

[Nightcrawler]

No it is 255.255.255.0 ??? But that should be okay according to the info I have..

Ed

 

[melospawn]

Hello, the router tells you to use to ACL because of this.
Th firtst acl permit tcp 10.1.21.30 0.0.0.1 will be use on the ips 10.1.21.30,10.1.21.31 (as you should know, the wildcard of the ACL has 2 values 1 and 0. 0 if you wanna check that value, 1 if not. OK, if you have to check ip 10.1.21.30-35 you must know that ip's 10.1.21.16-31 are on the same net (see mask) and 32-63 are on other net.

So you must use 1 acl to 30-31 and other to 32-35

Now, to get 30-31 you only need 1 bit (thats why the wildcard is 0.0.0.1) and to get 32-35 you need 2 bits (actually, and I don't see why to use a wildcard like 0.0.0.3). Try using a 0.0.0.2 and see if that way it works.

Please, tell me if with wildcard 0.0.0.2 it works, i'm out of my office and will like to know if that is right

good luck

 

[melospawn]

Hi again, don't bother trying acl: permit tcp 10.1.21.32 0.0.0.2, it won't work. Must use 0.0.0.3
Here is why again

0--> check
1-->do not check
so if you have 0.0.0.3 --> 0.0.0.00000011, you will check the values :
32-> 00100000 to 35--> 00100011 (see it, don't care for the last 2 bits).

and on acl permit tcp 10.1.21.30 0.0.0.1 you will check
:
30 --> 00011110 , 1-->00000001, don't care about last 1 bit (30-31).

Hope this helps too

Carmelo

 

[DanielBowen]

From the wildcard mask you are using it should be 255.255.255.248?

Enter and ACL like this below

access-list 101 permit tcp host 10.1.21.30 any
access-list 101 permit tcp host 10.1.21.31 any
access-list 101 permit tcp host 10.1.21.32 any
access-list 101 permit tcp host 10.1.21.33 any

This will work.

With regards to the wildcard mask, it is just the reverse of the subnet mask.

If you are using 255.255.255.0 that means you have not subnetted, then the wildcard mask would be 0.0.0.255. This would let all addresses from 10.1.21.1 - 10.1.21.254 through. If you only want to allow the four above, you must do them as seperate entries.

You can only group networks together in an ACL, not just groups of IP addresses

Daniel,

 

[ChrisAC]

Although you can create separate enteries for each host that you want to permit, you can group the IP's together (as described by melospawn). If you have to use two entries ..

permit tcp 10.1.21.30 0.0.0.1
permit tcp 10.1.21.32 0.0.0.3

.. this would suggest that the IP ranges are on different subnets, and so a different ACL is being created for each subnet. If they are on the same network then your first method should work!!

Good luck!!

Chris.

 

[shahcat]

wildcard masks have to follow one of the following bit patterns
00000000 0
00000001 1
00000011 3
00000111 7
00001111 15
00011111 31
00111111 63
01111111 127
11111111 255
The overall bit map for the four octets needs to be zero to thirty-two 0's followed by zero to thirty-two 1's. A 1 can never precede a 0.
This is what Cisco means by the masks needing to be contiguous - all the zeroes together and all the ones together

For your problem the solution proposed by cisco should work fine
Hope this helps

 

[mavenccie]

Melospawn and Crisac are correct.
BTW, if you think you can't use discontiguous masks on routers, then you will have a rude awakening on the CCIE Exam. Just a friendly suggestion.

 

[Nightcrawler]

Well I am about to try the above - but discontiguous does not seem to work and CIsco say it wont so ?? how can it be in the exam ?

THanks

Ed

 

[mavenccie]

Don't believe everything that Documentation and TAC might tell you(The Engineers and Docs are very good, but no One person knows all the answers). You need to consult as many sources and perform testing and convince yourself that a solution satisfies the problem.
Here is an example of a scenario where discontinuous masks are required:
If I wanted to allow only the following routes from an update into my routing protocol, and do it in the least number of statements. -Later
198.36.64.0 255.255.255.0
199.36.65.0 255.255.255.0
198.37.65.0 255.255.255.0
199.37.65.0 255.255.255.0
198.37.64.0 255.255.255.0
199.37.64.0 255.255.255.0
199.36.64.0 255.255.255.0
198.36.65.0 255.255.255.0

Hint: The ACL can be done in one statement.

Answer: access-list 1 permit 198.36.64.0 1.1.1.255

 

[Nightcrawler]

Okay Thanks,

I have to say I still dont understand the maths behind these numbers just to get a couple of machines on the system from one vlan .... ???

Ed