Re: IP Access List w/ Cisco 2620 Router ?

blkphtm · ‎10-23-2001

Hardware: Cisco 2620 Router

Scenario: I want to setup a block of 14 ip addresses so they can only access one certain website or ip address and they can not go anywhere else. I have been using a 255.255.255.240 mask.

Here are a couple of statments that I tried, but could not get them to work.

ip access-lists extended 110

permit tcp host x.x.x.241 0.0.0.240 host x.x.112.3

deny ip host x.x.x.241 0.0.0.240 any

permit ip any any

Then on the fastethernet port and serial ports i added:

ip access-group 110 out

Saved, Rebooted and still did not work.

Can someone help me out on this?

Daren

melvine · ‎10-23-2001

Well, if you are setting up access list for a block of 14. then you should use the inverse of the subnet mask. One way of doing this is (255-240) which is 15.

Therefore your access list should say

- Permit tcp 10.10.10.0 0.0.0.15 host 216.216.1.5 eq www

- deny ip 10.10.10.0 0.0.0.15 any

- permit ip any any

Here 10.10.10.0 255.255.255.240 is the group of address you want to allow access to and the 216.216 address is the website you want to give them access to.

Apply this in. that is ip access-group in because the router would have to check this before routing it while the packet is coming "IN" to the ethernet interface.

Good luck.

jizworski · ‎10-23-2001

I see three problems. First, your wildcard mask should be 0.0.0.15 Second, at the end of your permit statement, I would put "eq www". Third, if your fastethernet is your internal network, you should apply it inward. eg. ip access-group 110 in. Remember, it's relative to the router. Also, this would give you 13 addresses- x.x.x.241-x.x.x.254

gongxinping · ‎10-24-2001

config access-list as follow:

access-list 110 permit tcp x.x.x.240 0.0.0.15 host x.x.112.3

access-list 110 deny ip x.x.x.240 0.0.0.15 any

access-list 110 permit ip any any

ip access-group 110 out