Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL's

I have an ACL that i want to permit communication from one subnet to 4 specific hosts and allow for internet.

ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any any

I know this won't allow for those hosts on the subnet to get to the internet. My question is can i have these permit statements allowing communication to those hosts, and still allow anyone on that subnet to get to the internet? It is publicly accessed and i can't allow them to be on our network except to communicate with a few printers and a print server.

3 REPLIES
Hall of Fame Super Bronze

Re: ACL's

Try the following:

ip access-list extended PUBLIC-WIRELESS

permit ip any host 10.0.32.120

permit ip any host 10.0.32.121

permit ip any host 10.0.32.122

permit ip any host 10.0.32.123

deny ip any [your internal network]

permit ip any any

HTH,

__

Edison.

New Member

Re: ACL's

hmm.....i didn't realize you could have a permit after a deny statement like that. That worked! thanks!

Re: ACL's

Packets that "don't match":

deny ip any [your internal network]

... are evaluated against the next Access Control Entry(s) (ACE), until a match is found, or the end of the ACL is reached.

Typically, you'll use a:

deny ip any any log

... ACE, at the end of your ACL to log any packets that violate security policy.

115
Views
0
Helpful
3
Replies