Solved: Re: access-list

aperez2004 · ‎08-25-2006

Hello,

I have a problem with access-list. I am have three different networks, one is (assuming IP, just for protection) 1.1.1.0, 1.1.2.0 and 1.1.3.0. So I have three routers a each network, R1, R2 and R3. I wan network 1.1.1.0 talk to 1.1.2.0 but should NOT communicate with 1.1.3.0. Also 1.1.3.0 can talk to 1.1.2.0 but not to 1.1.1.0. So in R1 I configured the access-list the following way,

access-list 100 deny ip 1.1.1.0 0.0.0.252 1.1.3.0 0.0.0.252

access-list 100 permit ip any any

Then in interface fa0/0 I typed, ip access-group 100 in. I also do the same thing with R3 and I changed the IP address. It works fine but I am not happy with the command, permit any any. Is there another way so that this should work? I tried replacing the permit ip any any with permit ip 1.1.1.0 0.0.0.252 1.1.2.0 0.0.0.252 but does NOT work.

Any comments or suggestions are welcome.

Thanks

sundar.palaniappan · ‎08-25-2006

Hi,

You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.

R1:

access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

int f0/0

ip access-group 100 in

HTH,

Sundar

View solution in original post

sundar.palaniappan · ‎08-25-2006

Hi,

You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.

R1:

access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

int f0/0

ip access-group 100 in

HTH,

Sundar

aperez2004 · ‎08-25-2006

I must be doing something wrong because I tried that and it block all the networks.

aperez2004 · ‎08-25-2006

I just tried it and it doesn't work.

sundar.palaniappan · ‎08-25-2006

Are these routers on the same ethernet segment?

Or tell us how are they are connected.

aperez2004 · ‎08-25-2006

they are connected on the serial port on a T1 circuit.

sundar.palaniappan · ‎08-25-2006

That should work.

What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?

sundar.palaniappan · ‎08-25-2006

Looking at your previous posting why do you have the wild card mask set to 0.0.0.252?

Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255.

Edison Ortiz · ‎08-25-2006

Sundar

"Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255."

Perhaps you mean, 0.0.3.255 ?

sundar.palaniappan · ‎08-25-2006

Oops, am typing too quickly. thanks for correcting that Edison :-)

sundar.palaniappan · ‎08-25-2006

That should work.

What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?

aperez2004 · ‎08-25-2006

It works the way you said it, 0.255. So what I am trying to do is to access the routers from any network but restrict the networks so they can't communicate (1.1.1.0 can't to 1.1.3.0). That's why I had 252 because the router ip is .253