ACL help

Unanswered Question
Sep 11th, 2010
User Badges:

I've been assigned a project in school and I was wondering if I could get some help here.


What my instructor has told me to do it create and ACL list and deny a subnet by not using 'deny'.


So, on one router (R1) I have a 10.1.X.0/24 subnet and on the other (R2) I have a 192.168.10.0/28.


On R1, I've created 10 loopbacks with IPs of 10.1.0.1 all the way to 10.1.10.1.


I need to block any information from 10.1.10.0/24 from getting to 192.168.10.1 without using deny.


here is my R1 info:

interface Loopback0
ip address 10.1.0.1 255.255.255.0
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
ip address 10.1.2.1 255.255.255.0
!
interface Loopback3
ip address 10.1.3.1 255.255.255.0
!
interface Loopback4
ip address 10.1.4.1 255.255.255.0
!
interface Loopback5
ip address 10.1.5.1 255.255.255.0
!
interface Loopback6
ip address 10.1.6.1 255.255.255.0
!
interface Loopback7
ip address 10.1.7.1 255.255.255.0
!
interface Loopback8
ip address 10.1.8.1 255.255.255.0
!
interface Loopback9
ip address 10.1.9.1 255.255.255.0
!
interface Loopback10
ip address 10.1.10.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router rip
network 10.0.0.0
network 12.0.0.0
network 192.168.10.0
!
ip classless
!
!
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end


and here is my R2 info:

interface Loopback0
ip address 192.168.10.1 255.255.255.240
ip access-group 105 in
ip access-group 105 out
ip nat inside
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router rip
network 10.0.0.0
network 12.0.0.0
network 192.168.10.0
!
ip classless
!
!
access-list 105 permit ip 10.1.0.0 0.0.7.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.8.0 0.0.1.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.11.0 0.0.4.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.16.0 0.0.15.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.32.0 0.0.31.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.64.0 0.0.63.255 192.168.10.0 0.0.0.15
access-list 105 permit ip 10.1.128.0 0.0.127.255 192.168.10.0 0.0.0.15
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end


Yet I don't even know if this is right or how to test it.


Is there anyway I can get some help?  If not, then please disregard/delete this message.


Thanks

Brandon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sun, 09/12/2010 - 16:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brandon


While the suggestion from Sunil about route maps is interesting I believe that your original post was pretty specific that the solution needed to be an access list that did not use a deny statement. In that case you are on the right track. By permitting other traffic but not having a permit for 10.1.10.0 that traffic will be denied. But there are some problems in the way that you have implemented it.


I think that this line is intended to permit 10.1.11 through 10.1.15 but it will not work that way

access-list 105 permit ip 10.1.11.0 0.0.4.255 192.168.10.0 0.0.0.15

You need a line specifically for 10.1.11 and then you can do a line that will do 10.1.12 through 10.1.15.


Also using the same access list 105 in and out on the interface will result in all communication failing. You want that access list outbound and not inbound.


HTH


Rick

Actions

This Discussion