Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL help

Status
Not open for further replies.
shawnpd41

shawnpd41

Technical User
May 27, 2003
22
0
0
US
All,
Looking for some help setting up an ACL...I want to allow a private class b host range access to a specific web address...the range is 172.10.80.20 thru 255 and then 172.10.81.20 thru 255. I am thinking if I just ignore the part between 172.10.80.255 thru 172.10.81.20 those host will be denied by the implicit any...right? The destination address and port are something I just pulled out of my head since I don't have the actual web site address in front of me, so if I have chosen something on your network I apologize. I am not sure how to set it up...I have looked at several references on Cisco's site but I am still not sure...a little feedback would be appreciated

access-list 101 permit tcp 172.10.80.20 0.0.0.? 191.23.16.24 host 43123
access-list 101 permit tcp 172.10.81.20 0.0.0.? 191.23.16.24 host 445

Why are there subnet calculators all over the place but wildcard calculators for acls I cannot find. Any help is appreciated!
 
Sort by date Sort by votes
access-list 101 permit tcp 172.10.80.20 0.0.1.3 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.24 0.0.1.7 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.32 0.0.1.15 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.64 0.0.1.63 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.128 0.0.1.127 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.20 0.0.1.3 host 191.23.16.24 eq 445
access-list 101 permit tcp 172.10.80.24 0.0.1.7 host 191.23.16.24 eq 445
access-list 101 permit tcp 172.10.80.32 0.0.1.15 host 191.23.16.24 eq 445
access-list 101 permit tcp 172.10.80.64 0.0.1.63 host 191.23.16.24 eq 445
access-list 101 permit tcp 172.10.80.128 0.0.1.127 host 191.23.16.24 eq 445

This is quite difficult because of the range of hosts that you have selected. If you allowed the whole range (from 0-255) it would be much easier.

A quick note on the wildcard mask - using 1 as the third octet will match 80 and 81. The first entry in the list matches hosts 20-23, then 24-31, then 32-63, 64-127, 128-255.

You could also do the following:

access-list 101 deny tcp 172.10.80.0 0.0.1.15 host 191.23.16.24 eq 43123
access-list 101 deny tcp 172.10.80.16 0.0.1.3 host 191.23.16.24 eq 43123
access-list 101 permit tcp 172.10.80.0 0.0.1.255 host 191.23.16.24 eq 43123
access-list 101 deny tcp 172.10.80.0 0.0.1.15 host 191.23.16.24 eq 445
access-list 101 deny tcp 172.10.80.16 0.0.1.3 host 191.23.16.24 eq 445
access-list 101 permit tcp 172.10.80.0 0.0.1.255 host 191.23.16.24 eq 445

This denies 172.10.80-81.1-20 and then allows all other hosts within that range.

You should consider adding this at the bottom of the ACL to help you debug any problems:

access-list 101 deny any any log

This will place all other denied entries into the log.

HTH,
Michael.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
127
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
90
BIS
BIS
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
53
burtsbees
burtsbees
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
53
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
97
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top