ACL question 2

[billk89]

I have a 1600
here are the acl's


access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any host 192.168.1.1
access-list 100 permit ip any host 192.168.1.199
access-list 100 permit ip any 192.168.100.0 0.0.0.255
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any

Hi we blocked all traffic going to the 1.x subnet acepct for .1.1 and 1.199
1.1 is our pix that does the nating

we need to open the 1.x sub for 2 computers in the 10.x net
would the acl go somthing like this ??
access-list 100 permit ip 192.168.10.63 192.168.1.0 0.0.0.255
??

Thanks again
Bill

 

[burtsbees]

access-list (number) (protocol) (fromIP mask) (to IP mask)
you need the keyword "host"...

access-list 100 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255
That says from the computer to the subnet.

Burt

 

[billk89]

Still didnt work, must be somthing im missing here

here is the config , any one see anything i do not have there
thanks again
Bill

version 11.2
no service finger
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname
!
enable secret 5
enable password 7
!
no ip source-route
no ip bootp server
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip access-group 100 out
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
interface Ethernet1
ip address 192.168.10.1 255.255.255.0
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent
logging buffered 4096 debugging
no logging console
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any host 192.168.1.1
access-list 100 permit ip any host 192.168.1.199
access-list 100 permit ip any 192.168.100.0 0.0.0.255
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255

no cdp run
!
line con 0
exec-timeout 5 0
password 7
login
transport input telnet
line vty 0 4
access-class 10 in
exec-timeout 2 0
password 7
login
transport input telnet
!
end

router#

 

[burtsbees]

This line gets matched
access-list 100 deny ip any 192.168.1.0 0.0.0.255
before this line
access-list 100 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255
Post the result from this command...
router#sh access-list

I will show you how to put the lines in the correct order.

Burt

 

[billk89]

Standard IP access list 10
permit 192.168.10.0, wildcard bits 0.0.0.255
permit 192.168.1.0, wildcard bits 0.0.0.255
Extended IP access list 100
permit ip any host 192.168.1.1 (30561 matches)
permit ip any host 192.168.1.199 (1 match)
permit ip any 192.168.100.0 0.0.0.255
deny ip any 192.168.1.0 0.0.0.255 (21 matches)
permit ip any any (3537217 matches)
permit ip any host 192.168.1.51

The last line can come out,
One thing els i did yesterday was take out the ext access list 100, but that still didnt work,

wonder if there needs to be an incoming rule as well
thanks again
Bill

 

[burtsbees]

router#conf t
router(config)#ip access-list extended 100
router(config-ext-nacl)#no 40
router(config-ext-nacl)#no 50
router(config-ext-nacl)#40 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255
router(config-ext-nacl)#50 permit ip any host 192.168.1.51
router(config-ext-nacl)#end
router#wr

Burt

 

[billk89]

router#conf t
router(config)#ip access-list extended 100
router(config-ext-nacl)#no 40
router(config-ext-nacl)#40 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255
router(config-ext-nacl)#end
router#wr
?

Also what is this telling me the no 40 line, then 40 permit ip host 192.168.10.63 192.168.1.0 0.0.0.255?

also once thats added , doesnt it take right away,
then copy runconfig to startup config

the wr command does that wr right to startup config as well??
didnt want to write it to startup , incase i had to rollback , so just reboot the router would load its orgrianl startup config

again thanks for all the help

Bill

 

[burtsbees]

no 40 deletes the original line 40 (4th line) and then you add a new one. 10, 20 and 30 were all in the correct order, and the command does take right away. wr is the same as copy run start.

Burt