Need help with access lists.... 1

[CaGirl]

I'm somewhat new to Cisco, and I'm trying to help my boss figure out a few things about the network we recently inherited. I have a copy of the access lists set up on one of our routers, and I'm trying to figure out what some of these lists are actually meant to accomplish. For example, one of them is "access-list 100 permit ip host 172.16.10.5 host 172.16.30.10". (10.5 is a DNS server and 30.10 is a client.) Does this mean that 172.16.10.5 is permitted to access 172.16.30.10? There's also another one: "access-list 100 permit ip host [ip address] [ip address] 0.0.0.1". Is this saying that the first IP is a specific host that is able to access the second host plus the next host after it? (If you understand what I mean by that! ) And finally, if we wanted to give a certain client on a different network access to about six of our servers, what would be the best way to create an access list for this? Would we have to create a different list for each server? Thank you very much!!!

 

[wdoellefeld]

It would be helpful to see the entire config. Can you post it?

 

[CaGirl]

I apologize- I know how much easier it is to work on an issue when you can see the whole picture, but for security reasons, my boss isn't permitting me to.

 

[CaGirl]

I need to allow host 172.16.30.10 to access the following servers: 172.16.10.5, 172.16.10.7, 172.16.10.8, and 172.16.10.10- would this do it?


router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.5
router(config)#access-list 100 permit ip host 172.16.30.10 172.16.10.7 0.0.0.1
router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.10
router(config-if)#ip access-group 100 out

Thank you!

 

[CaGirl]

Actually, it should be inbound instead of outbound shouldn't it?

 

[rudeboy]

0.0.0.1 is a wildcard mask. Think of it as the reverse of a subnet mask. The one listed matches a 31 bit subnet mask (255.255.255.254). I personally would remove that line and just make a specific line for each host. As far as the inbound or outbound direction of the access-group, it depends on what interface it is applied to. If it is applied to the interface directly connected to the servers, then outbound is what you want. If these are the only lines in your access-list, all other traffic will be blocked by the implicit deny ip any any at the end of all Cisco access-lists.


router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.5
router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.7
router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.8
router(config)#access-list 100 permit ip host 172.16.30.10 host 172.16.10.10
router(config-if)#ip access-group 100 out

 

[CaGirl]

I can remove the wildcard mask, but would the access list still serve its purpose if I left it in? (I'm just curious now.)
In other words, all traffic (from this host to other subnets) that is not specified by the access list will be denied, right?

 

[rudeboy]

Technically, it should still work ok. I have never used a 31 bit subnet before.
Yes, once an access-list is applied, all traffic that does not match any rules will be dropped.

 

[CaGirl]

Cool- that's exactly what we want. I really appreciate your help!