02-10-2003 06:38 AM - edited 03-02-2019 04:56 AM
I have put an access list on the serial sub interface to block addresses from Asia Pacific, but when I check my internal logs I am seeing that they are still coming through. Here is my access list setup.
!
interface Serial0/0.1 point-to-point
description connected to Internet
ip address 67.x.x.x 255.255.255.252
ip access-group 2 in
ip nat outside
frame-relay interface-dlci 606
!
access-list 2 deny 67.117.54.0
access-list 2 deny 131.171.48.0
access-list 2 deny 67.92.0.0
access-list 2 deny 67.40.82.0
access-list 2 deny 61.0.0.0
access-list 2 deny 67.113.86.0
access-list 2 deny 62.199.133.0
access-list 2 deny 67.104.151.0
access-list 2 deny 194.0.0.0
access-list 2 deny 202.0.0.0
access-list 2 deny 203.0.0.0
access-list 2 deny 210.0.0.0
access-list 2 deny 67.17.128.0
access-list 2 deny 211.0.0.0
access-list 2 deny 212.0.0.0
access-list 2 deny 67.105.254.0
access-list 2 deny 213.0.0.0
access-list 2 deny 67.92.202.0
access-list 2 deny 218.0.0.0
access-list 2 deny 219.0.0.0
access-list 2 deny 220.0.0.0
access-list 2 deny 221.0.0.0
access-list 2 deny 216.35.10.0
access-list 2 deny 61.134.74.0
access-list 2 deny 213.35.0.0
access-list 2 permit any
What could be wrong with my setup?
Thanks for any help
Todd
Solved! Go to Solution.
02-10-2003 07:50 AM
I don't see the wildcard mask to define the entire network range. An example would be:
access-list 2 deny 67.117.54.0 0.255.255.255
This would block the entire 67.117.54.0 network.
Kevin Kelly
02-10-2003 07:50 AM
I don't see the wildcard mask to define the entire network range. An example would be:
access-list 2 deny 67.117.54.0 0.255.255.255
This would block the entire 67.117.54.0 network.
Kevin Kelly
02-10-2003 10:40 AM
Thanks, that was it. Not sure why i missed it, all of the other acls had it.
02-10-2003 10:18 AM
With the networks
access-list 2 deny 218.0.0.0
access-list 2 deny 219.0.0.0
access-list 2 deny 220.0.0.0
access-list 2 deny 221.0.0.0
access-list 2 deny 211.0.0.0
access-list 2 deny 212.0.0.0
access-list 2 deny 194.0.0.0
access-list 2 deny 202.0.0.0
access-list 2 deny 203.0.0.0
access-list 2 deny 210.0.0.0
You are blocking the class C address of 210.0.0.X subnet you are not blocking every possible class C that is associated with the 210 network. or any of tthe other networks. you should use an extended ACL for this .
02-10-2003 10:34 AM
That depends on the wildcard mask. Access-list 2 deny 218.0.0.0 0.255.255.255 would deny all Host from 218.0.0.0 to 218.255.255.255. An extended ACL just adds the capability to filter by Destination Addresses and Ports, as well as Source Addresses.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: