Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access list to filter Asia Pacific addresses

I have put an access list on the serial sub interface to block addresses from Asia Pacific, but when I check my internal logs I am seeing that they are still coming through. Here is my access list setup.

!

interface Serial0/0.1 point-to-point

description connected to Internet

ip address 67.x.x.x 255.255.255.252

ip access-group 2 in

ip nat outside

frame-relay interface-dlci 606

!

access-list 2 deny 67.117.54.0

access-list 2 deny 131.171.48.0

access-list 2 deny 67.92.0.0

access-list 2 deny 67.40.82.0

access-list 2 deny 61.0.0.0

access-list 2 deny 67.113.86.0

access-list 2 deny 62.199.133.0

access-list 2 deny 67.104.151.0

access-list 2 deny 194.0.0.0

access-list 2 deny 202.0.0.0

access-list 2 deny 203.0.0.0

access-list 2 deny 210.0.0.0

access-list 2 deny 67.17.128.0

access-list 2 deny 211.0.0.0

access-list 2 deny 212.0.0.0

access-list 2 deny 67.105.254.0

access-list 2 deny 213.0.0.0

access-list 2 deny 67.92.202.0

access-list 2 deny 218.0.0.0

access-list 2 deny 219.0.0.0

access-list 2 deny 220.0.0.0

access-list 2 deny 221.0.0.0

access-list 2 deny 216.35.10.0

access-list 2 deny 61.134.74.0

access-list 2 deny 213.35.0.0

access-list 2 permit any

What could be wrong with my setup?

Thanks for any help

Todd

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Access list to filter Asia Pacific addresses

I don't see the wildcard mask to define the entire network range. An example would be:

access-list 2 deny 67.117.54.0 0.255.255.255

This would block the entire 67.117.54.0 network.

Kevin Kelly

4 REPLIES
Community Member

Re: Access list to filter Asia Pacific addresses

I don't see the wildcard mask to define the entire network range. An example would be:

access-list 2 deny 67.117.54.0 0.255.255.255

This would block the entire 67.117.54.0 network.

Kevin Kelly

Community Member

Re: Access list to filter Asia Pacific addresses

Thanks, that was it. Not sure why i missed it, all of the other acls had it.

Silver

Re: Access list to filter Asia Pacific addresses

With the networks

access-list 2 deny 218.0.0.0

access-list 2 deny 219.0.0.0

access-list 2 deny 220.0.0.0

access-list 2 deny 221.0.0.0

access-list 2 deny 211.0.0.0

access-list 2 deny 212.0.0.0

access-list 2 deny 194.0.0.0

access-list 2 deny 202.0.0.0

access-list 2 deny 203.0.0.0

access-list 2 deny 210.0.0.0

You are blocking the class C address of 210.0.0.X subnet you are not blocking every possible class C that is associated with the 210 network. or any of tthe other networks. you should use an extended ACL for this .

Community Member

Re: Access list to filter Asia Pacific addresses

That depends on the wildcard mask. Access-list 2 deny 218.0.0.0 0.255.255.255 would deny all Host from 218.0.0.0 to 218.255.255.255. An extended ACL just adds the capability to filter by Destination Addresses and Ports, as well as Source Addresses.

132
Views
0
Helpful
4
Replies
CreatePlease to create content