Extended access list question

[testpaul]

Apologise if this appears twice only I had problems with the first posting

My question is on an extended access list, I have to add a batch of ip's that are not all cintinous, but blocks of them are.

(using fictitious addresses here)

I was hoping to do something like this

say I had address 192.168.1.10 to 20 (11 addresses)

Could I do this to match all 11

access-list 101 permit tcp 192.168.1.10 0.0.0.11 host 192.133.26.1 eq www

The 0.0.0.11 bit being a match for 192.168.1.10 and the following 10 addresses (11 in all)

Not sure if this theory or the syntax is right?

Would appreciate any help anyone can offer as this would save me lots of time, its the matching of a block of address bit that I am not sure about and if correct syntax of the whole entry.

Many thanks

Paul

 

[lui3]

Hey paul.

Where are you proposing you put these access lists? One or several routers. If one, will this be the router that is directly connected to the interface you want to filter the traffic on?

You might want to try the following command to block an entire subnet.

I dont think that it will work to just block your specified range.

For your example of 192.168.1.10-20 you could use the subnet 192.168.1.0 subnet masked 255.255.255.224 this would give you hosts 192.168.1.1 thru 192.168.1.31 and you could write the mask as so.

access-list 101 tcp permit 192.168.1.0 0.0.0.31 x.x.x.x eq www


this should work if you put your hosts inbetween 1 and 31
and will leave you some hosts to add

All other requests from will be denied unless otherwise allowed since the implicit deny statement will be implied at the end of the access list by default.

Ranges of addresses normally can only be permited individually or by subnet only...not with a subnet itself.

Hope this helps. Also try ciscos site and this link to boson for more info.

http://www.boson.com/promo/guides/ip-access-list.htm

Mike
CCNA, Net+, A+

 

[testpaul]

Many thanks Mike

the access lists are up and running. These are additions to it.

Normally I would do this

permit tcp host 192.168.1.1 host 192.168.1.2 eq www

As each Ip I am matching against is allocated by an ISP, I do not have full range matching ability, however I may occasionaly (as now) have quite a lot of new IP's allocated. Some run concurrent but it probably never be a whole/exact subnet. I do not get where the subnet comes in in this example as its not using any mask in the list???

I can sort of understand 192.168.1.0 0.0.0.255 I am then saying let in any of 255 addresses in the range 192.168.1.0 to 192.168.1.255 (I think?). I am sure I am able to use the 0.0.0.8 wildcard match, but am not sure what say the "8" would stand for is it 8 hosts after the previous IP address stated or is it up to specific host address "8". i.e 192.168.1.0 to 192.168.1.8 ???

I hope this is making sense as I will be using numbers that just happen to be continous but not the whole of that range/subnet for example say I had individual numbers in the range 192.168.1.0 mask 255.255.255.0.. i may have address 192.168.1.21 to 32 and then 192.168.1.95 to 110 etc etc. I do not want to allow all 255 addresses in, but selective blocks and individual addresses (i can do the individual ones ok)

Hope this makes sense to somebody!!!!

Thanks

Paul