04-15-2008 06:43 AM - edited 03-05-2019 10:24 PM
I have a 2621 router installed and I want to restrict certain production computers from accessing anything other than the subnet they are on. What is the best to way to do this with a 2621 router? I was thinking an ACL but I figured I would post just to see what other or if this is the best option.
The layout is the router is on our internal network separating one division from another, but we have computers on production lines that they only want to access stuff on the 192.168.3.X Network and keep the off the 192.168.4.X and keep these machines off the Internet as well. Again just trying to figure out if this is possible with this router.
Thanks in advance.
Solved! Go to Solution.
04-15-2008 12:51 PM
I would make the last lines as follows:
The line below will be the networks that are allowed after all of the denied hosts and networks(be careful not to block a network that falls into the permit statement below "it will be blocked".
permit ip 192.168.x.x x.x.255.255
-------------------
This line will block everything else:
deny ip an any log
Let me know if it works and rate it.
Sal
04-15-2008 06:48 AM
I was thinking an ACL
Your thinking is correct :)
__
Edison.
04-15-2008 06:48 AM
Are you trying to limit or deny access between the two divisions? If so then access lists will work just fine.
04-15-2008 06:57 AM
I am trying to do both. I want to deny them from getting off the 192.168.X.Y network but not stop them from getting around the 192.168 A.B network. And again I only want this to affect certain staticly mapped IP addresses.
04-15-2008 11:19 AM
Then you can use access lists to permit and deny host or whole networks in both directions.
exmaple:
deny ip host 192.168.0.202 any
deny ip host 192.168.1.197 any
deny ip host 192.168.3.3 any
deny ip host 192.168.3.36 any
permit ip host 192.168.9.40 any
permit ip host 192.168.9.23 any
permit ip host 192.168.11.19 any
permit ip 192.168.17.192 0.0.0.63 192.168.145.0 0.0.0.255
permit ip 192.168.17.192 0.0.0.63 192.168.146.0 0.0.0.255
permit ip 192.168.17.192 0.0.0.63 192.168.148.0 0.0.0.255
deny ip any any log
Let me know if this helped.
Sal
04-15-2008 11:37 AM
can I do a
permit ip any any instead of a deny ip any any?
This way I can do the deny and if it isn't listed it will be allowed out to the other networks and the net?
04-15-2008 12:51 PM
I would make the last lines as follows:
The line below will be the networks that are allowed after all of the denied hosts and networks(be careful not to block a network that falls into the permit statement below "it will be blocked".
permit ip 192.168.x.x x.x.255.255
-------------------
This line will block everything else:
deny ip an any log
Let me know if it works and rate it.
Sal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: