04-12-2007 11:54 AM - edited 03-11-2019 02:59 AM
Hi,
Can i permit few IP addresses from any subnet to access Internet for example. In other words if i have the following subnet 10.10.10.0/24 and i need to permit hosts at the ACL from 200 to 254 to access the internet only.
If yes how?
Thanks in advance
Abd Alqader
04-12-2007 11:38 PM
Hi
If i have understood correctly yes you can.
object-group network permit_hosts
network-object host 10.10.10.200
network-object host 10.10.10.201
.... etc.
access-list from_inside permit ip object-group permit_hosts any
access-group from_inside in interface inside
Couple of things to be aware of
1) I have said "permit ip" in the access-list but you could lock it down to particular ports.
2) I haven't covered NAT setup. if you need this let me know.
3) Any access-list has an implicit deny at the end. So if you apply the above access-list to the inside interface that will stop any other traffic being initiated from the inside to the outside.
HTH
Jon
04-13-2007 01:09 AM
Thanks.
I know i can do that with one entry for each IP address. But my question was to do that with one entry for the whole subnet.
For example:
object-group network permit_hosts
network-object host X.X.X.200 - 254
Someone told me that it can be done using wildcard!
I need to know how?
Thanks in advance
Abd Alqader
04-13-2007 01:22 AM
Hi
Well you can use a subnet mask in your object-group definitions so i guess you could do
object-group network permit_hosts
network-object host 10.10.10.200
network-object host 10.10.10.201
etc...
network-object host 10.10.10.223
network-object 10.10.10.224 255.255.255.224
It all depends on where your subnet boundaries lie. You could use
network-object 10.10.10.192 255.255.255.192
but this would cover 10.10.10.192 - 199 also which is not what you want.
HTH
Jon
04-13-2007 03:46 AM
Hi Jon,
I mean any subnet with specific ip addresses, in other words the fourth octet is between range 200 and 254 for example, and the first three octets any.
X.X.X.200 - 254.
10.10.10.200 - 254
100.1.222.200 - 254
172.30.2.200 - 254
X.X.X.200 - 254
Thanks
Abd Alqader
04-13-2007 08:58 AM
I wouldnt use access-lists to block traffic but instead I would use policy nat.
access-list WEB permit ip x.x.x.x x.x.x.x any nat (inside) 1 access-list WEB
global (outside) 1 interface
You will have to play with your subneting to get it right ..... I suggest you go with a 255.255.255.192 mask for your acl as it will allow .193 - .254 to be natd
04-16-2007 02:44 PM
No, unfotunately you cannot define an arbatory range.
You can define using CIDR ranges as suggested elsewhere.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide