04-12-2007 11:54 AM - edited 03-11-2019 02:59 AM
Hi,
Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only.
If yes how?
Thanks in advance
Abd Alqader
04-12-2007 11:38 PM
Hi
If i have understood correctly yes you can.
object-group network permit_hosts
network-object host 10.10.10.200
network-object host 10.10.10.201
.... etc.
access-list from_inside permit ip object-group permit_hosts any
access-group from_inside in interface inside
Couple of things to be aware of
1) I have said "permit ip" in the access-list but you could lock it down to particular ports.
2) I haven't covered NAT setup. if you need this let me know.
3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside.
HTH
Jon
04-13-2007 01:09 AM
Thanks.
I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.
For example:
object-group network permit_hosts
network-object host X.X.X.200 - 254
Someone told me that it can be done using wildcard!
I need to know how?
Thanks in advance
Abd Alqader
04-13-2007 01:22 AM
Hi
Well you can use a subnet mask in your object-group definitions so i guess you could do
object-group network permit_hosts
network-object host 10.10.10.200
network-object host 10.10.10.201
etc...
network-object host 10.10.10.223
network-object 10.10.10.224 255.255.255.224
It all depends on where your subnet boundaries lie. You could use
network-object 10.10.10.192 255.255.255.192
but this would cover 10.10.10.192 - 199 also which is not what you want.
HTH
Jon
04-13-2007 03:46 AM
Hi Jon,
I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any.
X.X.X.200 - 254.
10.10.10.200 - 254
100.1.222.200 - 254
172.30.2.200 - 254
X.X.X.200 - 254
Thanks
Abd Alqader
04-13-2007 08:58 AM
I wouldnt use access-lists to block traffic but instead I would use policy nat.
access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB
global (outside) 1 interface
You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd
04-16-2007 02:44 PM
No, unfotunately you cannot define an arbatory range.
You can define using CIDR ranges as suggested elsewhere.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: