11-20-2006 04:01 PM - edited 03-03-2019 02:46 PM
i have a question.....suppose i have a two ethernets one is 192.168.1.0/24 and the other is 192.168.2.0/24......if i want to restrict 1.0 network going to 2.0 network (any service complete deny) i would use standard access-list now when i create access list it would be like
router(config)# Access-list 1 deny 192.168.2.0 now the wild card would be what i know it would be 0.0.0.255 so if i write 0.0.0.0 what would happen is it fine as well or not????? secondly what is the rule for access list i mean the placement of access list like near to destination source etc....thanks in advance
11-20-2006 05:26 PM
Firstly you should never use the 0.0.0.0 wild card unless trying to deny a specific host. Standard access lists are always put next to the destination as outbounds.If you trying to deny 1.0,this is how your configuration would be like,router(config)#access list 1 deny 192.168.1.0 0.0.0.255 now remember the explicit deny any rule..?change that to access list 1 permit any and place this closest to the destination as an outbound.
11-20-2006 05:41 PM
hi,
agreed on all points, except it would be placed closest to the dest 'inbound'. Outbound would never match the source 192.168.1.0/24 as it would be comming from the 192.168.2.0/24 network.
Regards,
Andres
11-20-2006 05:35 PM
If you're on the 192.168.2.0 network, you can setup the access list like this:
router(config)# access-list 10 deny 192.168.1.0 0.0.0.255 log
router(config)# access-list 10 permit any log
Apply the "ip access-group 10 in" to the serial interface of the router on the 192.168.2.0 network.
Without the "permit any", you'll lose access to the router on 192.168.1.0 network once you apply the access-list to the serial interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide