Few hosts from subnet

Unanswered Question
Apr 12th, 2007
User Badges:
  • Bronze, 100 points or more

Hi,

Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only.

If yes how?


Thanks in advance


Abd Alqader

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/12/2007 - 23:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If i have understood correctly yes you can.


object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

.... etc.


access-list from_inside permit ip object-group permit_hosts any


access-group from_inside in interface inside



Couple of things to be aware of


1) I have said "permit ip" in the access-list but you could lock it down to particular ports.

2) I haven't covered NAT setup. if you need this let me know.

3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside.


HTH


Jon

a.hajhamad Fri, 04/13/2007 - 01:09
User Badges:
  • Bronze, 100 points or more

Thanks.

I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.

For example:

object-group network permit_hosts

network-object host X.X.X.200 - 254

Someone told me that it can be done using wildcard!

I need to know how?


Thanks in advance


Abd Alqader

Jon Marshall Fri, 04/13/2007 - 01:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Well you can use a subnet mask in your object-group definitions so i guess you could do


object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

etc...

network-object host 10.10.10.223

network-object 10.10.10.224 255.255.255.224



It all depends on where your subnet boundaries lie. You could use


network-object 10.10.10.192 255.255.255.192


but this would cover 10.10.10.192 - 199 also which is not what you want.


HTH


Jon

a.hajhamad Fri, 04/13/2007 - 03:46
User Badges:
  • Bronze, 100 points or more

Hi Jon,

I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any.

X.X.X.200 - 254.

10.10.10.200 - 254

100.1.222.200 - 254

172.30.2.200 - 254

X.X.X.200 - 254


Thanks


Abd Alqader

I wouldnt use access-lists to block traffic but instead I would use policy nat.


access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB

global (outside) 1 interface


You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd

mark.hodge Mon, 04/16/2007 - 14:44
User Badges:

No, unfotunately you cannot define an arbatory range.


You can define using CIDR ranges as suggested elsewhere.

Actions

This Discussion