Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
9
Replies

Cisco 12.1 Access-list

ethutchinson
Level 1
Level 1

‎06-02-2006 06:14 AM - edited ‎03-03-2019 03:28 AM

We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.

Thanks

Labels:
0 Helpful
9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2006 06:28 AM

Eric

We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?

The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:

assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24

create 2 access lists and assign one to each interface.

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip any any

access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip any any

interface faste0/0

ip access-group 120 in

interface faste1/0

ip access-group 110 in

adjust addresses etc to fit your situation. Try it and let us know if it works.

HTH

Rick

HTH

Rick
0 Helpful

ethutchinson
Level 1
Level 1
In response to Richard Burts

‎06-02-2006 06:37 AM

Sorry for not being clear. I have one ip address on another subnet (Other interface) that I want to block from communicating with any ip address on my interface. Unfortunately I cannot get to this ip to fix the problem and I need to prevent it from communicating with my interface. While still allowing the other ip addresses to communicate as usual with my interface.

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ethutchinson

‎06-02-2006 07:05 AM

Eric

If there is a specific IP address in a subnet on one interface that you want to prevent from communicating with any device on another subnet on an interface of your router you should be able to do it pretty easily with access lists. They might look something like this:

assume that the address you want to prevent is 192.168.1.50 and assume that the subnet on the other interface is 192.168.2.0/24

create 2 access lists and assign one to each interface.

access-list 110 deny ip host 192.168.1.50 192.168.2.0 0.0.0.255

access-list 110 permit ip any any

access-list 120 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.50

access-list 120 permit ip any any

interface faste0/0

ip access-group 120 in

interface faste1/0

ip access-group 110 in

These lists are extended access lists which prevent traffic between the specific address you want to stop and all addresses in the other network and then permit everything else. It should work.

HTH

Rick

HTH

Rick
0 Helpful

ethutchinson
Level 1
Level 1
In response to Richard Burts

‎06-02-2006 07:43 AM

Rick,

Thanks for the info. I'll give it a try

You the man

0 Helpful

ethutchinson
Level 1
Level 1
In response to Richard Burts

‎06-09-2006 05:59 AM

Rick,

Sorry to get back to you so late. Worked great but the internet was still working. We do have a pix 520 setup as the default route. Would I have to do something on that to kill the internet access?

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ethutchinson

‎06-09-2006 08:16 AM

Eric

I am glad that my suggestion was effective in solving part of your problem. In the previous posts you were describing the problem as wanting to prevent a specific host from communicating with devices on another interface. Now it sounds like the problem is that you do not want this host to communicate with the Internet (or probably not communicate with anything on a different network). If this is the correct understanding of the problem then there is a simple solution.

Assuming that the stations that you want to block is 192.168.1.50 and that it is on FastEthernet 0/0 then I would suggest this:

access-list 111 deny ip host 192.168.1.50 any

access-list 111 permit ip any any

interrface FastEthernet 0/0

ip access-group 111 in

This should prevent the station from communicating with anything on any other part of the network or to the default route.

HTH

Rick

HTH

Rick
0 Helpful

ethutchinson
Level 1
Level 1
In response to Richard Burts

‎06-13-2006 05:49 AM

Rick,

Thanks, I'll give it a try

Eric

0 Helpful

devang_etcom
Level 7
Level 7
In response to Richard Burts

‎06-02-2006 08:07 AM

hi Rick,

i think first case can be clear with the help of accesslist and then by routmaps we can point that traffice to null0 interface.

is it possible?

regards

Devang

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to devang_etcom

‎06-02-2006 10:15 AM

Devang

If you are trying to restrict one interface talking to another interface on the same router it may be possible to configure this with local policy based routing. I have not done this or tested this but the logic looks like it should work.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents