Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
8
Helpful
9
Replies

Help in Access-List

usman792
Level 1
Level 1

‎01-12-2006 06:58 PM - edited ‎03-03-2019 11:26 AM

Hi,

i want apply a access-list in my router to deny all client pc range ip address 10.1.1.11 to 10.1.1.50 any thing expecpt for UDP port permit and permit our managers pc ip addresses above this range. In my router I am using NAT and also telling me which interface I apply this access-list Ethernet or Serial

any Help is appreciated

Labels:
0 Helpful
9 Replies 9

pkhatri
Level 11
Level 11

‎01-12-2006 07:25 PM

Hi,

Try this...

access-list 101 permit ip host 10.1.1.51 any

access-list 101 permit ip 10.1.1.52 0.0.0.3 any

access-list 101 permit ip 10.1.1.56 0.0.0.7 any

access-list 101 permit ip 10.1.1.64 0.0.0.63 any

access-list 101 permit ip 10.1.1.128 0.0.0.127 any

access-list 101 permit udp 10.1.1.11 0.0.0.0 any

access-list 101 permit udp 10.1.1.12 0.0.0.3 any

access-list 101 permit udp 10.1.1.16 0.0.0.15 any

access-list 101 permit udp 10.1.1.32 0.0.0.15 any

access-list 101 permit udp 10.1.1.48 0.0.0.1 any

access-list 101 permit udp 10.1.1.50 0.0.0.0 any

access-list 101 deny ip any any

!

! apply it inbound on your ethernet interface

interface ethernet 0

ip access-group 101 in

The first 5 lines will allow full access to all source addresses in the range 10.1.1.51 upwards. The next 6 lines will allow UDP to all source addresses from 10.1.1.11 to 10.1.150. The last line will deny everything else (not strictly required as it is the default).

Hope that helps - pls rate the post if it does.

Paresh.

0 Helpful

usman792
Level 1
Level 1
In response to pkhatri

‎01-16-2006 10:56 AM

Hi Paresh,

thanks your help but for some mistake my network range start 10.213.169.1 netmask 255.0.0.0. I want block my first 50 network address for web browseing and any messanging. they only allow for sip voice traffic means sip port 5060 and rtp port range 6000 to 15000.my all other subnet also allow for voice traffic.Is this configuration is correct for this range.

Thanks

0 Helpful

pkhatri
Level 11
Level 11
In response to usman792

‎01-16-2006 03:43 PM

When you say the first 50 network addresses, do you mean from 10.213.169.1 to 10.213.169.50 ?

Let me clarify your requirements:

- you want to restrict 10.213.169.1 to 10.213.169.50 so that only SIP and RTP traffic is permitted, everything else is blocked. Is that correct ?

- what traffic do you want to allow for all your other addresses ? Everything ?

Thanks,

Paresh

0 Helpful

usman792
Level 1
Level 1
In response to pkhatri

‎01-17-2006 01:34 AM

Yes i want 10.213.169.1 to 10.213.169.50 with subnetmast 255.0.0.0 only SIP and RTP traffic permit, everything is blocke and all other ip addresses permit everything.

One more

I use NAT pool address in my router. so please give the configuration whose work in NAT.

thanks

0 Helpful

pkhatri
Level 11
Level 11
In response to usman792

‎01-17-2006 01:49 AM

Howdy,

It might be an idea to post your router config so that we can cover all the aspects of this config.

Paresh,

0 Helpful

pkhatri
Level 11
Level 11
In response to pkhatri

‎01-17-2006 02:30 AM

Hi again,

Try the following (it should work even if you have NAT configured);

access-list 101 permit udp 10.213.169.0 0.0.0.31 eq 5060 any

access-list 101 permit udp 10.213.169.0 0.0.0.31 any eq 5060

access-list 101 permit udp 10.213.169.32 0.0.0.15 eq 5060 any

access-list 101 permit udp 10.213.169.32 0.0.0.15 any eq 5060

access-list 101 permit udp 10.213.169.48 0.0.0.1 eq 5060 any

access-list 101 permit udp 10.213.169.48 0.0.0.1 any eq 5060

access-list 101 permit udp 10.213.169.50 0.0.0.0 eq 5060 any

access-list 101 permit udp 10.213.169.50 0.0.0.0 any eq 5060

access-list 101 permit udp 10.213.169.0 0.0.0.31 range 6000 15000 any

access-list 101 permit udp 10.213.169.0 0.0.0.31 any range 6000 15000

access-list 101 permit udp 10.213.169.32 0.0.0.15 range 6000 15000 any

access-list 101 permit udp 10.213.169.32 0.0.0.15 any range 6000 15000

access-list 101 permit udp 10.213.169.48 0.0.0.1 range 6000 15000 any

access-list 101 permit udp 10.213.169.48 0.0.0.1 any range 6000 15000

access-list 101 permit udp 10.213.169.50 0.0.0.0 range 6000 15000 any

access-list 101 permit udp 10.213.169.50 0.0.0.0 any range 6000 15000

access-list 101 deny ip 10.213.169.0 0.0.0.31 any

access-list 101 deny ip 10.213.169.32 0.0.0.15 any

access-list 101 deny ip 10.213.169.48 0.0.0.1 any

access-list 101 deny ip 10.213.169.50 0.0.0.0 any

access-list 101 permit ip any any

!

! apply it inbound on your ethernet interface

interface ethernet 0

ip access-group 101 in

Pls remember to rate posts.

Regards,

Paresh

usman792
Level 1
Level 1
In response to pkhatri

‎01-17-2006 02:10 PM

Hi,

i try these configuration they did work but one problem I use x-ten softphone with this configuration they did not work well. i use this proxy address voip-co2.teliax.com. When x-ten load they first check the ( Permorming DNS lookup then they try to registering this proxy address.

could u tell me how can i configure out these problem.

My aim is my all client PC only call they did not web surfing and any thing else. if any solution for expect router is kindly telling me.

thanks your big help

0 Helpful

pkhatri
Level 11
Level 11
In response to usman792

‎01-17-2006 03:24 PM

Alright, try this now - I've added the ability for DNS queries to go through. Pls remember to rate posts that help.

access-list 101 permit udp 10.213.169.0 0.0.0.31 eq 5060 any

access-list 101 permit udp 10.213.169.0 0.0.0.31 any eq 5060

access-list 101 permit udp 10.213.169.32 0.0.0.15 eq 5060 any

access-list 101 permit udp 10.213.169.32 0.0.0.15 any eq 5060

access-list 101 permit udp 10.213.169.48 0.0.0.1 eq 5060 any

access-list 101 permit udp 10.213.169.48 0.0.0.1 any eq 5060

access-list 101 permit udp 10.213.169.50 0.0.0.0 eq 5060 any

access-list 101 permit udp 10.213.169.50 0.0.0.0 any eq 5060

access-list 101 permit udp 10.213.169.0 0.0.0.31 range 6000 15000 any

access-list 101 permit udp 10.213.169.0 0.0.0.31 any range 6000 15000

access-list 101 permit udp 10.213.169.32 0.0.0.15 range 6000 15000 any

access-list 101 permit udp 10.213.169.32 0.0.0.15 any range 6000 15000

access-list 101 permit udp 10.213.169.48 0.0.0.1 range 6000 15000 any

access-list 101 permit udp 10.213.169.48 0.0.0.1 any range 6000 15000

access-list 101 permit udp 10.213.169.50 0.0.0.0 range 6000 15000 any

access-list 101 permit udp 10.213.169.50 0.0.0.0 any range 6000 15000

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

access-list 101 deny ip 10.213.169.0 0.0.0.31 any

access-list 101 deny ip 10.213.169.32 0.0.0.15 any

access-list 101 deny ip 10.213.169.48 0.0.0.1 any

access-list 101 deny ip 10.213.169.50 0.0.0.0 any

access-list 101 permit ip any any

Hope that helps.

Regards,

Paresh.

usman792
Level 1
Level 1
In response to pkhatri

‎01-18-2006 01:34 PM

Hi Paresh,

thanks your big big corporation with this configuration I have done my goal. could u tell me some hits of how can make range of wild card mask.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card