How can I allow only a certain range of IPs and deny the rest?

[skhoury]

Hello all,

I know this is probably a very basic question, but here is what I need to do:

One of our internal servers has a public IP address. We have it currently static mapped, and we have access-lists built that allow

http://www and

https traffic to hit it.

These access-lists allow anyone to hit the server.

We simply want to allow only a certain range of IPs to be allowed to hit the server.

Im not quite sure how to go about implementing the ACL to do this.

Any help is much appreciated...thanks,

Sam

 

[rubbaninja]

Very simple. (don't forget to remove your original acl.
)

access-list acl_outside permit tcp 10.128.254.0 255.255.255.0 host 192.168.254.2 eq http

-----

[no] access-list id deny | permit {any | prefix mask | host address}

 

[skhoury]

oohh ok.

So is it possible to say something like this?

10.128.252.0 - 10.128.254.0 ?

Sam

 

[KiscoKid]

You can specify numerous hosts if they fall within a valid subnet.

For instance, the 10.128.252.0 thru to 10.128.254.0 can be represented with as 10.128.252.0/23 and 10.128.254.0/24. Therefore you'd need 2 ACLs for this range of hosts:

access-list acl_outside permit tcp 10.128.252.0 255.255.254.0 host 192.168.254.2 eq http

access-list acl_outside permit tcp 10.128.254.0 255.255.255.0 host 192.168.254.2 eq http

The 2 ACLs above will allow all hosts from 10.128.252.1 thro to 10.128.254.255 to inside host 192.168.254.2 for

http://www access.