Cisco 1605 Access Lists

[bigdaddytim]

I have a 1605 connecting to a secure router via a T1 running HDLC. I cannot access the distant end router and I am relying on someone to configure it but we have to block access on our end. I have

access-list 1 permit ####.####.####.0 0.0.0.255 log
access-list 1 permit ####.####.####.#### 0.0.0.0 log
access-list 1 deny any log

ip access-group 1 in (on the serial 0 T1 line)

Anytime we put the list on S0 it blocks all traffic from getting through the circuit. I view the log and it shows NOTHING!!! Is this an IOS problem? Can someone help??? Repeat when I put the list on NO ONE can get through that interface.

 

[wybnormal]

access-list 1 permit ####.####.####.0 0.0.0.255 log

too may 0's.

access-list 1 permit 192.5.34.0 0.0.0.255

Are you trying to specify a host or a range.. the 0.0.0.255 tells me a range of a subnet. 0.0.0.0 specifies a certain host.

A extended IP list might be more effective.. filter on TCP, UDP etc?

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[bigdaddytim]

You just have me confused now. Sorry, but I don't understand why I have two many 0's. I am permitting both a range and a single host. Effective isn't the problem, the problem is that is blocks the entire world when I put this list on int s0

 

[wybnormal]

The zeros act as a mask. Zero's mean "I care if this bit is a match" where the 255 ( all ones) means "I dont care what bit is set here in this position.

192.168.1.1 apply the 0.0.0.0 mask means ONLY this address is a match. Apply 0.0.0.255 mask and ONLY 192.168.1.x will match. See the pattern? This is called a "Wildcard mask" which is different then a normal subnet mask.

You dont need the very last line.. deny any.. that is the default at the end of any access list.

The access list you show is constructed correctly for a standard IP access list. You have the list applied INBOUND on the interface. You will be blocking EVERYTHING inbound except whatever IPs you list in the list.

interface Serial0
ip address 192.1.3.5 255.255.255.0
ip access-group 109 out
!
access-list 109 deny icmp any any log-input
access-list 109 permit ip any any

THis sample blocks PING ( icmp), logs it and allows any other IP type packets.

!
interface Ethernet1
ip address 192.168.1.2 255.255.255.0
ip access-group 107 in
no ip directed-broadcast
ip nat outside
no cdp enable

access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit ip any any

This access list is very close to what you want. I use it to block private IPs to passed through the router from the internet. This is part of some router security but the format is the same that you need to use.



MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin