https://community.cisco.com/t5/network-security/access-control-list/m-p/1602867#M559090 <HTML><HEAD></HEAD><BODY><P>Hi Chem,</P><P></P><P>I'm sorry about the mask. It would be 0.0.0.255 on a router, while it would be 255.255.255.0 on a firewall.</P><P>I primarily work with firewalls, so intuitively wrote the subnet mask. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>-Shrikant</P></BODY></HTML> Tue, 29 Mar 2011 11:56:10 GMT Shrikant Sundaresh 2011-03-29T11:56:10Z https://community.cisco.com/t5/network-security/access-control-list/m-p/1602863#M559086 <P>"access-list 100 deny ip host 192.168.2.10 host 192.168.3.11"</P><P>it should deny a single host, but why 192.168.2.10 can't access all ip in 192.168.3.0.</P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 20:13:18 GMT https://community.cisco.com/t5/network-security/access-control-list/m-p/1602863#M559086 chhay.heng 2019-03-11T20:13:18Z https://community.cisco.com/t5/network-security/access-control-list/m-p/1602864#M559087 <HTML><HEAD></HEAD><BODY><P>Chem,</P><P></P><P>There is little data here to move forward, we don't know what the rest of ACL looks like or what the platform, topology/scenario is.</P><P></P><P>The access-list is just saying traffic from host A host B is not interesting. Access-list are used for MATCHING traffic, not dropping. You apply access-list to access-group command to make access-group drop traffic.</P><P></P><P>Marcin</P></BODY></HTML> Sun, 27 Mar 2011 09:40:26 GMT https://community.cisco.com/t5/network-security/access-control-list/m-p/1602864#M559087 Marcin Latosiewicz 2011-03-27T09:40:26Z https://community.cisco.com/t5/network-security/access-control-list/m-p/1602865#M559088 <HTML><HEAD></HEAD><BODY><P>Hi Chem,</P><P></P><P>To add to what Marcin has written in the earlier post, there is an implicit "deny ip any any" at the end of every access-list.</P><P></P><P>So this means, that if you make just the ACL you have made "access-list 100 deny ip host 192.168.2.10 host 192.168.3.11"</P><P>and apply this to one of the interfaces, "access-group 100 in int inside" for examle,</P><P>then it actually looks like:</P><P>access-list 100 deny ip host 192.168.2.10 host 192.168.3.11</P><P>access-list 100 deny ip any any [hidden]</P><P></P><P>and therefore no traffic will pass through.</P><P></P><P>Instead if you configure it this way:</P><P></P><P>access-list 100 deny ip host 192.168.2.10 host 192.168.3.11</P><P>access-list 100 permit ip host 192.168.2.10 192.168.3.0 255.255.255.0</P><P></P><P>and then apply it to an interface, then 192.168.2.10 will be able to communicate with everything in 192.168.3.0 /24 except for .11.</P><P></P><P>Hope this helps.</P><P></P><P><SPAN style="font-size: 8pt;">PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts.</SPAN></P></BODY></HTML> Sun, 27 Mar 2011 22:19:56 GMT https://community.cisco.com/t5/network-security/access-control-list/m-p/1602865#M559088 Shrikant Sundaresh 2011-03-27T22:19:56Z https://community.cisco.com/t5/network-security/access-control-list/m-p/1602866#M559089 <HTML><HEAD></HEAD><BODY><P>Dear Sundaresh,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Yeah， thanks...it's what i want! But...access-list 100 permit ip host 192.168.2.10 192.168.3.0 <SPAN style="color: #ff6600; font-size: 10pt; text-decoration: underline; ">255.255.255.0</SPAN>, it should be<SPAN style="color: #ff6600; text-decoration: underline; "> 0.0.0.255</SPAN>,right?</P><P></P><P>Regards,</P><P>Chhayheng</P><P>Setecuniversity student</P></BODY></HTML> Tue, 29 Mar 2011 02:03:34 GMT https://community.cisco.com/t5/network-security/access-control-list/m-p/1602866#M559089 chhay.heng 2011-03-29T02:03:34Z https://community.cisco.com/t5/network-security/access-control-list/m-p/1602867#M559090 <HTML><HEAD></HEAD><BODY><P>Hi Chem,</P><P></P><P>I'm sorry about the mask. It would be 0.0.0.255 on a router, while it would be 255.255.255.0 on a firewall.</P><P>I primarily work with firewalls, so intuitively wrote the subnet mask. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>-Shrikant</P></BODY></HTML> Tue, 29 Mar 2011 11:56:10 GMT https://community.cisco.com/t5/network-security/access-control-list/m-p/1602867#M559090 Shrikant Sundaresh 2011-03-29T11:56:10Z