PIX 525 & Access-list

smartin · ‎09-23-2002

I'm trying to permit certain systems on the 172.16.x.x network & block the rest. Below contains my access list,

I allow access to 172.16.2.1, .2, .4, .10.

I want to blcok ALL other systems on the 172.16.x.x network with the "access-list host deny ip any host 172.16.0.0" but this statement is not working.

Help Please !!

Access-list host permit ip any host 172.16.2.1

access-list host permit ip any host 172.16.2.2

access-list host permit ip any host 172.16.2.4

access-list host permit ip any host 172.16.2.10

access-list host deny ip any host 172.16.0.0

access-list host permit ip any any

smartin · ‎09-23-2002

Also, I've already tried this statement.

access-list host permit ip any host 172.16.2.1

access-list host permit ip any host 172.16.2.2

access-list host permit ip any host 172.16.2.4

access-list host permit ip any host 172.16.2.10

access-list host permit ip any any

access-list host deny ip any host 172.16.0.0

steve.barlow · ‎09-23-2002

Your first acl is close. Change the last line from:

access-list host deny ip any host 172.16.0.0

to

access-list host deny ip any 172.16.0.0 255.255.0.0

This assumes 172.16.x.x is the destination, not the source of the packets.

Remember with extended acl's it is source then destination.

Steve