08-25-2006 01:41 PM - edited 03-03-2019 01:46 PM
Hello,
I have a problem with access-list. I am have three different networks, one is (assuming IP, just for protection) 1.1.1.0, 1.1.2.0 and 1.1.3.0. So I have three routers a each network, R1, R2 and R3. I wan network 1.1.1.0 talk to 1.1.2.0 but should NOT communicate with 1.1.3.0. Also 1.1.3.0 can talk to 1.1.2.0 but not to 1.1.1.0. So in R1 I configured the access-list the following way,
access-list 100 deny ip 1.1.1.0 0.0.0.252 1.1.3.0 0.0.0.252
access-list 100 permit ip any any
Then in interface fa0/0 I typed, ip access-group 100 in. I also do the same thing with R3 and I changed the IP address. It works fine but I am not happy with the command, permit any any. Is there another way so that this should work? I tried replacing the permit ip any any with permit ip 1.1.1.0 0.0.0.252 1.1.2.0 0.0.0.252 but does NOT work.
Any comments or suggestions are welcome.
Thanks
Solved! Go to Solution.
08-25-2006 01:50 PM
Hi,
You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.
R1:
access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
int f0/0
ip access-group 100 in
HTH,
Sundar
08-25-2006 01:50 PM
Hi,
You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.
R1:
access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
int f0/0
ip access-group 100 in
HTH,
Sundar
08-25-2006 01:58 PM
I must be doing something wrong because I tried that and it block all the networks.
08-25-2006 02:06 PM
I just tried it and it doesn't work.
08-25-2006 02:08 PM
Are these routers on the same ethernet segment?
Or tell us how are they are connected.
08-25-2006 02:13 PM
they are connected on the serial port on a T1 circuit.
08-25-2006 02:17 PM
That should work.
What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?
08-25-2006 02:06 PM
Looking at your previous posting why do you have the wild card mask set to 0.0.0.252?
Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255.
08-25-2006 02:15 PM
Sundar
"Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255."
Perhaps you mean, 0.0.3.255 ?
08-25-2006 02:19 PM
Oops, am typing too quickly. thanks for correcting that Edison :-)
08-25-2006 02:21 PM
That should work.
What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?
08-25-2006 02:26 PM
It works the way you said it, 0.255. So what I am trying to do is to access the routers from any network but restrict the networks so they can't communicate (1.1.1.0 can't to 1.1.3.0). That's why I had 252 because the router ip is .253
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide