05-06-2008 12:43 PM - edited 03-07-2019 12:28 AM
I have an ACL that i want to permit communication from one subnet to 4 specific hosts and allow for internet.
ip access-list extended PUBLIC-WIRELESS
permit ip any host 10.0.32.120
permit ip any host 10.0.32.121
permit ip any host 10.0.32.122
permit ip any host 10.0.32.123
deny ip any any
I know this won't allow for those hosts on the subnet to get to the internet. My question is can i have these permit statements allowing communication to those hosts, and still allow anyone on that subnet to get to the internet? It is publicly accessed and i can't allow them to be on our network except to communicate with a few printers and a print server.
05-06-2008 12:57 PM
Try the following:
ip access-list extended PUBLIC-WIRELESS
permit ip any host 10.0.32.120
permit ip any host 10.0.32.121
permit ip any host 10.0.32.122
permit ip any host 10.0.32.123
deny ip any [your internal network]
permit ip any any
HTH,
__
Edison.
05-06-2008 01:01 PM
hmm.....i didn't realize you could have a permit after a deny statement like that. That worked! thanks!
05-08-2008 04:11 PM
Packets that "don't match":
deny ip any [your internal network]
... are evaluated against the next Access Control Entry(s) (ACE), until a match is found, or the end of the ACL is reached.
Typically, you'll use a:
deny ip any any log
... ACE, at the end of your ACL to log any packets that violate security policy.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: