Standard Access-list

The_guroo_2 · ‎11-20-2006

i have a question.....suppose i have a two ethernets one is 192.168.1.0/24 and the other is 192.168.2.0/24......if i want to restrict 1.0 network going to 2.0 network (any service complete deny) i would use standard access-list now when i create access list it would be like

router(config)# Access-list 1 deny 192.168.2.0 now the wild card would be what i know it would be 0.0.0.255 so if i write 0.0.0.0 what would happen is it fine as well or not????? secondly what is the rule for access list i mean the placement of access list like near to destination source etc....thanks in advance

mojalefa1 · ‎11-20-2006

Firstly you should never use the 0.0.0.0 wild card unless trying to deny a specific host. Standard access lists are always put next to the destination as outbounds.If you trying to deny 1.0,this is how your configuration would be like,router(config)#access list 1 deny 192.168.1.0 0.0.0.255 now remember the explicit deny any rule..?change that to access list 1 permit any and place this closest to the destination as an outbound.

avillalva · ‎11-20-2006

hi,

agreed on all points, except it would be placed closest to the dest 'inbound'. Outbound would never match the source 192.168.1.0/24 as it would be comming from the 192.168.2.0/24 network.

Regards,

Andres

Hieu Cao · ‎11-20-2006

If you're on the 192.168.2.0 network, you can setup the access list like this:

router(config)# access-list 10 deny 192.168.1.0 0.0.0.255 log

router(config)# access-list 10 permit any log

Apply the "ip access-group 10 in" to the serial interface of the router on the 192.168.2.0 network.

Without the "permit any", you'll lose access to the router on 192.168.1.0 network once you apply the access-list to the serial interface.