https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728043#M1007349 <HTML><HEAD></HEAD><BODY><P>I wouldnt use access-lists to block traffic but instead I would use policy nat.</P><P></P><P>access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB</P><P>global (outside) 1 interface</P><P></P><P>You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd</P></BODY></HTML> Fri, 13 Apr 2007 15:58:24 GMT bbacola 2007-04-13T15:58:24Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728038#M1007344 <P>Hi,</P><P>Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only. </P><P>If yes how?</P><P></P><P>Thanks in advance</P><P></P><P>Abd Alqader </P> Mon, 11 Mar 2019 09:59:34 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728038#M1007344 a.hajhamad 2019-03-11T09:59:34Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728039#M1007345 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>If i have understood correctly yes you can. </P><P></P><P>object-group network permit_hosts</P><P>network-object host 10.10.10.200</P><P>network-object host 10.10.10.201 </P><P>.... etc.</P><P></P><P>access-list from_inside permit ip object-group permit_hosts any </P><P></P><P>access-group from_inside in interface inside </P><P></P><P></P><P>Couple of things to be aware of </P><P></P><P>1) I have said "permit ip" in the access-list but you could lock it down to particular ports.</P><P>2) I haven't covered NAT setup. if you need this let me know. </P><P>3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside. </P><P></P><P>HTH </P><P></P><P>Jon</P></BODY></HTML> Fri, 13 Apr 2007 06:38:20 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728039#M1007345 Jon Marshall 2007-04-13T06:38:20Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728040#M1007346 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P>I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.</P><P>For example:</P><P>object-group network permit_hosts</P><P>network-object host X.X.X.200 - 254</P><P>Someone told me that it can be done using wildcard!</P><P>I need to know how?</P><P></P><P>Thanks in advance</P><P></P><P>Abd Alqader </P></BODY></HTML> Fri, 13 Apr 2007 08:09:34 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728040#M1007346 a.hajhamad 2007-04-13T08:09:34Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728041#M1007347 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Well you can use a subnet mask in your object-group definitions so i guess you could do </P><P></P><P>object-group network permit_hosts</P><P>network-object host 10.10.10.200</P><P>network-object host 10.10.10.201</P><P>etc...</P><P>network-object host 10.10.10.223 </P><P>network-object 10.10.10.224 255.255.255.224</P><P></P><P></P><P>It all depends on where your subnet boundaries lie. You could use </P><P></P><P>network-object 10.10.10.192 255.255.255.192</P><P></P><P>but this would cover 10.10.10.192 - 199 also which is not what you want. </P><P></P><P>HTH </P><P></P><P>Jon </P></BODY></HTML> Fri, 13 Apr 2007 08:22:12 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728041#M1007347 Jon Marshall 2007-04-13T08:22:12Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728042#M1007348 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P>I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any. </P><P>X.X.X.200 - 254.</P><P>10.10.10.200 - 254</P><P>100.1.222.200 - 254</P><P>172.30.2.200 - 254</P><P>X.X.X.200 - 254</P><P></P><P>Thanks</P><P></P><P>Abd Alqader </P></BODY></HTML> Fri, 13 Apr 2007 10:46:54 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728042#M1007348 a.hajhamad 2007-04-13T10:46:54Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728043#M1007349 <HTML><HEAD></HEAD><BODY><P>I wouldnt use access-lists to block traffic but instead I would use policy nat.</P><P></P><P>access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB</P><P>global (outside) 1 interface</P><P></P><P>You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd</P></BODY></HTML> Fri, 13 Apr 2007 15:58:24 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728043#M1007349 bbacola 2007-04-13T15:58:24Z https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728044#M1007350 <HTML><HEAD></HEAD><BODY><P>No, unfotunately you cannot define an arbatory range. </P><P></P><P>You can define using CIDR ranges as suggested elsewhere.</P></BODY></HTML> Mon, 16 Apr 2007 21:44:44 GMT https://community.cisco.com/t5/network-security/few-hosts-from-subnet/m-p/728044#M1007350 mark.hodge 2007-04-16T21:44:44Z