Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

controlling access to one IP

Status
Not open for further replies.
brandondaly

brandondaly

IS-IT--Management
Jan 9, 2002
194
GB
I wish to block access to one IP address for all the network bar one PC.

I've tried the following lines

access-list 101 permit tcp any any
access-list 101 permit tcp host 159.245.191.151 host 159.245.68.10
access-list 101 deny tcp any host 159.245.68.10


<int FastEthernet 0/0
ip access-group in

This configuration doesn't work. Could somebody point out where I'm going wrong?
 
Sort by date Sort by votes
Your first line ...

access-list 101 permit tcp any any

.... permits all tcp access BEFORE the third line denys all access to 159.245.68.10.

Try again!

Chris.

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
So is there a way block access to 159.245.68.10 for all addresses bar 159.245.191.151 whilst allowing all other traffic to flow?
 
Upvote 0 Downvote
You almost had it, apart from the order of your ACL statements,

!
access-list 101 permit tcp host 159.245.191.151 host 159.245.68.10
access-list 101 deny tcp any host 159.245.68.10
access-list 101 permit tcp any any
!

Any traffic coming into the interface will be checked against the ACL in the order of the statements. When a match is found the packet will either be permitted or denied and then the next packet will be checked.

So, the first line will permit access to 159.254.68.10 from IP address 159.245.191.151.

The second line then denies all other traffic with a destination address of 159.254.68.10.

The third line allows all other TCP connections to all other destinations.

Note that at the end there will be an implicit deny ip any any statement. If you want to log these denied connection attempts it's good practice to add this statement to the end of the ACL, just to be neat!!

access-list 101 deny ip any any log.

Then just apply the ACL, inbound on the ethernet port and test it.

Good luck.

Chris.

PS. If there any mistakes in this then I apologise!! I've just got back from a FW-1 course and my head's still in pieces!! ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Thanks for the help, I've wiped the previous control lists and re-entered the new order, however after adding
ip access-group 101 in
to the ethernet port, there was still no filtering during attempts to access 159.245.68.10.
I've taken your advise to include the logging which is showing the system block all none TCP traffic (this was not previously enabled). Any futher ideas as to what may be missing.

the route to 159.245.68.10 is via another router on the same LAN as the one which is being programmed, but the PC is set up with the correct gateway, so that it is not bypassing it.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
258
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
350
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
305
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
486
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
191
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top