Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Few hosts from subnet

Hi,

Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only.

If yes how?

Thanks in advance

Abd Alqader

6 REPLIES
Hall of Fame Super Blue

Re: Few hosts from subnet

Hi

If i have understood correctly yes you can.

object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

.... etc.

access-list from_inside permit ip object-group permit_hosts any

access-group from_inside in interface inside

Couple of things to be aware of

1) I have said "permit ip" in the access-list but you could lock it down to particular ports.

2) I haven't covered NAT setup. if you need this let me know.

3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside.

HTH

Jon

Bronze

Re: Few hosts from subnet

Thanks.

I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.

For example:

object-group network permit_hosts

network-object host X.X.X.200 - 254

Someone told me that it can be done using wildcard!

I need to know how?

Thanks in advance

Abd Alqader

Hall of Fame Super Blue

Re: Few hosts from subnet

Hi

Well you can use a subnet mask in your object-group definitions so i guess you could do

object-group network permit_hosts

network-object host 10.10.10.200

network-object host 10.10.10.201

etc...

network-object host 10.10.10.223

network-object 10.10.10.224 255.255.255.224

It all depends on where your subnet boundaries lie. You could use

network-object 10.10.10.192 255.255.255.192

but this would cover 10.10.10.192 - 199 also which is not what you want.

HTH

Jon

Bronze

Re: Few hosts from subnet

Hi Jon,

I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any.

X.X.X.200 - 254.

10.10.10.200 - 254

100.1.222.200 - 254

172.30.2.200 - 254

X.X.X.200 - 254

Thanks

Abd Alqader

New Member

Re: Few hosts from subnet

I wouldnt use access-lists to block traffic but instead I would use policy nat.

access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB

global (outside) 1 interface

You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd

New Member

Re: Few hosts from subnet

No, unfotunately you cannot define an arbatory range.

You can define using CIDR ranges as suggested elsewhere.

136
Views
0
Helpful
6
Replies
CreatePlease login to create content