Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Access List w/ Cisco 2620 Router ?

Hardware: Cisco 2620 Router

Scenario: I want to setup a block of 14 ip addresses so they can only access one certain website or ip address and they can not go anywhere else. I have been using a mask.

Here are a couple of statments that I tried, but could not get them to work.

ip access-lists extended 110

permit tcp host x.x.x.241 host x.x.112.3

deny ip host x.x.x.241 any

permit ip any any

Then on the fastethernet port and serial ports i added:

ip access-group 110 out

Saved, Rebooted and still did not work.

Can someone help me out on this?


New Member

Re: IP Access List w/ Cisco 2620 Router ?

Well, if you are setting up access list for a block of 14. then you should use the inverse of the subnet mask. One way of doing this is (255-240) which is 15.

Therefore your access list should say

- Permit tcp host eq www

- deny ip any

- permit ip any any

Here is the group of address you want to allow access to and the 216.216 address is the website you want to give them access to.

Apply this in. that is ip access-group in because the router would have to check this before routing it while the packet is coming "IN" to the ethernet interface.

Good luck.

New Member

Re: IP Access List w/ Cisco 2620 Router ?

I see three problems. First, your wildcard mask should be Second, at the end of your permit statement, I would put "eq www". Third, if your fastethernet is your internal network, you should apply it inward. eg. ip access-group 110 in. Remember, it's relative to the router. Also, this would give you 13 addresses- x.x.x.241-x.x.x.254

New Member

Re: IP Access List w/ Cisco 2620 Router ?

config access-list as follow:

access-list 110 permit tcp x.x.x.240 host x.x.112.3

access-list 110 deny ip x.x.x.240 any

access-list 110 permit ip any any

ip access-group 110 out

CreatePlease login to create content