Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
6
Replies

Few hosts from subnet

a.hajhamad
Level 4
Level 4

‎04-12-2007 11:54 AM - edited ‎03-11-2019 02:59 AM

Hi,

Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only.

If yes how?

Thanks in advance

Abd Alqader

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎04-12-2007 11:38 PM

Hi

If i have understood correctly yes you can.

object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

.... etc.

access-list from_inside permit ip object-group permit_hosts any

access-group from_inside in interface inside

Couple of things to be aware of

1) I have said "permit ip" in the access-list but you could lock it down to particular ports.

2) I haven't covered NAT setup. if you need this let me know.

3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside.

HTH

Jon

0 Helpful

a.hajhamad
Level 4
Level 4
In response to Jon Marshall

‎04-13-2007 01:09 AM

Thanks.

I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.

For example:

object-group network permit_hosts

network-object host X.X.X.200 - 254

Someone told me that it can be done using wildcard!

I need to know how?

Thanks in advance

Abd Alqader

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to a.hajhamad

‎04-13-2007 01:22 AM

Hi

Well you can use a subnet mask in your object-group definitions so i guess you could do

object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

etc...

network-object host 10.10.10.223

network-object 10.10.10.224 255.255.255.224

It all depends on where your subnet boundaries lie. You could use

network-object 10.10.10.192 255.255.255.192

but this would cover 10.10.10.192 - 199 also which is not what you want.

HTH

Jon

0 Helpful

a.hajhamad
Level 4
Level 4
In response to Jon Marshall

‎04-13-2007 03:46 AM

Hi Jon,

I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any.

X.X.X.200 - 254.

10.10.10.200 - 254

100.1.222.200 - 254

172.30.2.200 - 254

X.X.X.200 - 254

Thanks

Abd Alqader

0 Helpful

bbacola
Level 1
Level 1
In response to a.hajhamad

‎04-13-2007 08:58 AM

I wouldnt use access-lists to block traffic but instead I would use policy nat.

access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB

global (outside) 1 interface

You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd

0 Helpful

mark.hodge
Level 1
Level 1
In response to a.hajhamad

‎04-16-2007 02:44 PM

No, unfotunately you cannot define an arbatory range.

You can define using CIDR ranges as suggested elsewhere.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card