ACL's

Unanswered Question
May 6th, 2008
User Badges:

I have an ACL that i want to permit communication from one subnet to 4 specific hosts and allow for internet.


ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any any


I know this won't allow for those hosts on the subnet to get to the internet. My question is can i have these permit statements allowing communication to those hosts, and still allow anyone on that subnet to get to the internet? It is publicly accessed and i can't allow them to be on our network except to communicate with a few printers and a print server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 05/06/2008 - 12:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Try the following:


ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any [your internal network]

permit ip any any


HTH,


__


Edison.

cowetacoit Tue, 05/06/2008 - 13:01
User Badges:

hmm.....i didn't realize you could have a permit after a deny statement like that. That worked! thanks!

michael.leblanc Thu, 05/08/2008 - 16:11
User Badges:
  • Silver, 250 points or more

Packets that "don't match":


deny ip any [your internal network]


... are evaluated against the next Access Control Entry(s) (ACE), until a match is found, or the end of the ACL is reached.


Typically, you'll use a:


deny ip any any log


... ACE, at the end of your ACL to log any packets that violate security policy.


Actions

This Discussion