Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to write an ACL like this?

how to write an ACL like this?

if I want to deny all the traffic of 10.0.0.1 to 10.0.0.104,is there a way that I just write one phrase like"access-list 101 deny ip 10.0.0.1-10.0.0.104 any" in router or pix?

thanks!

6 REPLIES
New Member

Re: how to write an ACL like this?

Assuming the hosts are on different subnets the following should do the job.

Access-list 101 deny ip host 10.0.0.1 host 10.0.0.104

New Member

Re: how to write an ACL like this?

Hi

remember that at the end of ACL there's an implicit deny any. If you want only deny traffic between that network, you must write at the end:

access-list 101 permit ip any any

bye

New Member

Re: how to write an ACL like this?

no,I mean I want to deny all the traffic from 10.0.0.1,10.0.0.2,10.0.0.3,......10.0.0.104

New Member

Re: how to write an ACL like this?

Hi,

It seems a liitle difficult to get it done in one line.

Here is what i can think off.

Due to the boundry.

Deny 96-103

access-list 101 deny ip 10.0.0.96 0.0.0.7 any

This would allow "104-127" Hosts 96-103 were previously denied

access-list 101 permit ip 10.0.0.104 0.0.0.31 any

This would deny 0-127 Hosts 104-127 criteria met in last statement.

access-list 101 deny ip 10.0.0.1 0.0.0.127 any

This would allow others

access-list 101 permit ip 10.0.0.128 0.0.0.127 any

access-list 101 deny ip 10.0.0.96 0.0.0.7 any log

access-list 101 permit ip 10.0.0.104 0.0.0.31 any

access-list 101 deny ip 10.0.0.1 0.0.0.127 any log

#access-list 101 permit ip 10.0.0.128 0.0.0.127 any

#or access-list 101 permit ip any any

Allan

New Member

Re: how to write an ACL like this?

Hi,

since you want to deny access to hosts, u must use standard access-list

try using the wild card entry like this one

access-list 10 deny 10.0.0.1 0.0.0.103

access-list 10 permit ip any any

I am not assuring this will work, but give it a try

-Sai.

New Member

Re: how to write an ACL like this?

You cannot do in single statement. To deny access for 10.0.0.1 to 10.0.0.104 u will require to put 5 statement

access-list 110 deny ip any 10.0.0.0 0.0.0.63

access-list 110 deny ip any 10.0.0.64 0.0.0.31

access-list 110 deny ip any 10.0.0.96 0.0.0.7

access-list 110 deny ip any host 10.0.0.104

access-list 110 permit ip any any

Rgds

180
Views
0
Helpful
6
Replies