06-02-2006 06:14 AM - edited 03-03-2019 03:28 AM
We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
Thanks
06-02-2006 06:28 AM
Eric
We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
adjust addresses etc to fit your situation. Try it and let us know if it works.
HTH
Rick
06-02-2006 06:37 AM
Sorry for not being clear. I have one ip address on another subnet (Other interface) that I want to block from communicating with any ip address on my interface. Unfortunately I cannot get to this ip to fix the problem and I need to prevent it from communicating with my interface. While still allowing the other ip addresses to communicate as usual with my interface.
Thanks
06-02-2006 07:05 AM
Eric
If there is a specific IP address in a subnet on one interface that you want to prevent from communicating with any device on another subnet on an interface of your router you should be able to do it pretty easily with access lists. They might look something like this:
assume that the address you want to prevent is 192.168.1.50 and assume that the subnet on the other interface is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip host 192.168.1.50 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.50
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
These lists are extended access lists which prevent traffic between the specific address you want to stop and all addresses in the other network and then permit everything else. It should work.
HTH
Rick
06-02-2006 07:43 AM
Rick,
Thanks for the info. I'll give it a try
You the man
06-09-2006 05:59 AM
Rick,
Sorry to get back to you so late. Worked great but the internet was still working. We do have a pix 520 setup as the default route. Would I have to do something on that to kill the internet access?
Thanks
06-09-2006 08:16 AM
Eric
I am glad that my suggestion was effective in solving part of your problem. In the previous posts you were describing the problem as wanting to prevent a specific host from communicating with devices on another interface. Now it sounds like the problem is that you do not want this host to communicate with the Internet (or probably not communicate with anything on a different network). If this is the correct understanding of the problem then there is a simple solution.
Assuming that the stations that you want to block is 192.168.1.50 and that it is on FastEthernet 0/0 then I would suggest this:
access-list 111 deny ip host 192.168.1.50 any
access-list 111 permit ip any any
interrface FastEthernet 0/0
ip access-group 111 in
This should prevent the station from communicating with anything on any other part of the network or to the default route.
HTH
Rick
06-13-2006 05:49 AM
Rick,
Thanks, I'll give it a try
Eric
06-02-2006 08:07 AM
hi Rick,
i think first case can be clear with the help of accesslist and then by routmaps we can point that traffice to null0 interface.
is it possible?
regards
Devang
06-02-2006 10:15 AM
Devang
If you are trying to restrict one interface talking to another interface on the same router it may be possible to configure this with local policy based routing. I have not done this or tested this but the logic looks like it should work.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: