ACL's

Unanswered Question
May 6th, 2008

I have an ACL that i want to permit communication from one subnet to 4 specific hosts and allow for internet.

ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any any

I know this won't allow for those hosts on the subnet to get to the internet. My question is can i have these permit statements allowing communication to those hosts, and still allow anyone on that subnet to get to the internet? It is publicly accessed and i can't allow them to be on our network except to communicate with a few printers and a print server.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 05/06/2008 - 12:57

Try the following:

ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any [your internal network]

permit ip any any

HTH,

__

Edison.

cowetacoit Tue, 05/06/2008 - 13:01

hmm.....i didn't realize you could have a permit after a deny statement like that. That worked! thanks!

michael.leblanc Thu, 05/08/2008 - 16:11

Packets that "don't match":

deny ip any [your internal network]

... are evaluated against the next Access Control Entry(s) (ACE), until a match is found, or the end of the ACL is reached.

Typically, you'll use a:

deny ip any any log

... ACE, at the end of your ACL to log any packets that violate security policy.

Actions

This Discussion