IP Access List w/ Cisco 2620 Router

[blkphtm]

Hardware: Cisco 2620 Router
Scenario: I want to setup a block of 14 ip addresses so they can only access one certain website or ip address and they can not go anywhere else. I have been using a 255.255.255.240 mask.

Here are a couple of statments that I tried, but could not get them to work.

ip access-lists extended 110
permit tcp host x.x.x.241 0.0.0.240 host x.x.112.3
deny ip host x.x.x.241 0.0.0.240 any
permit ip any any

Then on the fastethernet port and serial ports i added:
ip access-group 110 out

Saved, Rebooted and still did not work.

Can someone help me out on this?

Daren

 

[BOJIKA]

ip access-lists extended 110
permit tcp x.x.x.240 0.0.0.15 host x.x.112.3
deny ip x.x.x.240 0.0.0.15 any
permit ip any any

wild card = 255 - netmask

15 = 255 - 240

"out" - is more expensive for CPU then "in"

 

[blkphtm]

Should I still put in "ip access-group 110 out" on the interface, or should I change that to "in"?

In order for the access list to work, I do have to add a statement like this don't I?

Daren

 

[MelchiorKD]

yes, you need either an "in" or "out" statement applied to an interface for it to work. If you use the "in" statement on the inner-most interface, it saves on CPU utilation because it has less packets and traffic to route. It only has to route those packets you are allowing though and not the packets you are ultimately going to deny with the access-list.