Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access-list

Hello,

I have a problem with access-list. I am have three different networks, one is (assuming IP, just for protection) 1.1.1.0, 1.1.2.0 and 1.1.3.0. So I have three routers a each network, R1, R2 and R3. I wan network 1.1.1.0 talk to 1.1.2.0 but should NOT communicate with 1.1.3.0. Also 1.1.3.0 can talk to 1.1.2.0 but not to 1.1.1.0. So in R1 I configured the access-list the following way,

access-list 100 deny ip 1.1.1.0 0.0.0.252 1.1.3.0 0.0.0.252

access-list 100 permit ip any any

Then in interface fa0/0 I typed, ip access-group 100 in. I also do the same thing with R3 and I changed the IP address. It works fine but I am not happy with the command, permit any any. Is there another way so that this should work? I tried replacing the permit ip any any with permit ip 1.1.1.0 0.0.0.252 1.1.2.0 0.0.0.252 but does NOT work.

Any comments or suggestions are welcome.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: access-list

Hi,

You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.

R1:

access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

int f0/0

ip access-group 100 in

HTH,

Sundar

11 REPLIES

Re: access-list

Hi,

You can do this with one statement like the one noted below. The implicit deny rule will drop everything else.

R1:

access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

int f0/0

ip access-group 100 in

HTH,

Sundar

New Member

Re: access-list

I must be doing something wrong because I tried that and it block all the networks.

New Member

Re: access-list

I just tried it and it doesn't work.

Re: access-list

Are these routers on the same ethernet segment?

Or tell us how are they are connected.

New Member

Re: access-list

they are connected on the serial port on a T1 circuit.

Re: access-list

That should work.

What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?

Re: access-list

Looking at your previous posting why do you have the wild card mask set to 0.0.0.252?

Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255.

Hall of Fame Super Bronze

Re: access-list

Sundar

"Do you mean to include networks 1.1.1.0/24 - 1.1.3.0/24. If that's what you want then the WC you need to use is 0.0.252.255."

Perhaps you mean, 0.0.3.255 ?

Re: access-list

Oops, am typing too quickly. thanks for correcting that Edison :-)

Re: access-list

That should work.

What's the source and destination IP address of the pings? Are you using a 24-bit mask for these networks?

New Member

Re: access-list

It works the way you said it, 0.255. So what I am trying to do is to access the routers from any network but restrict the networks so they can't communicate (1.1.1.0 can't to 1.1.3.0). That's why I had 252 because the router ip is .253

211
Views
0
Helpful
11
Replies
CreatePlease to create content