05-21-2006 06:43 PM - edited 03-03-2019 03:18 AM
Hi,
I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.
example
(primary blocking internet access access-list)
ip access-list extended http100
permit tcp host 10.99.100.1 host 10.108.20.1 eq 80
ip access-list extended http100
permit tcp host 10.99.102.1 host 10.108.20.1 eq 80
permit ip any any
would the commands above block the internet of the secondary IP 10.99.102.x?
thanks,
Eduard
Solved! Go to Solution.
05-22-2006 05:51 AM
Eduard
I am not certain that I fully understand what you are attempting to accomplish. But this example is much better and shows what I think is the main point of the discussion. There can be only one IP access list inbound on an interface and only one IP access list outbound on an interface. Any access list on the interface will control access for both the primary subnet and any secondary subnets that are configured on the interface.
HTH
Rick
05-21-2006 07:31 PM
Eduard
I do not understand what you have posted. I gather that you have a router and on one interface there is a primary address and a secondary address. I gather that you want to prevent devices in the secondary subnet from accessing Internet. Then you post an example of access list. But the example first shows an extended access list with a single line that permits a single host (apparently in the primary subnet) to access a single destination host on http. Then your post has the same extended access list name with two lines where one line permits a single host in the secondry subnet to access the remote host on http and then a permit ip any any which will allow any end station to access anything.
I do not understand why you show two access lists with the same name. The effect of doing this is that IOS will combine all 3 statements into one access list. And the resulting access list will permit all end stations on that interface to access any destination.
Perhaps you can clarify what you are trying to do and how you are trying to do it.
HTH
Rick
05-21-2006 09:41 PM
Hi Rick,
I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.
My question is how do i block secondary internet access by using an access-list?
I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.
Hope this is clearer.
oh,i think i missed typed something on the access-list, let me create another example:
ip access-list extended http101
permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)
permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)
deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80
deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80
permit ip any any
all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1
thanks,
Eduard
05-22-2006 05:51 AM
Eduard
I am not certain that I fully understand what you are attempting to accomplish. But this example is much better and shows what I think is the main point of the discussion. There can be only one IP access list inbound on an interface and only one IP access list outbound on an interface. Any access list on the interface will control access for both the primary subnet and any secondary subnets that are configured on the interface.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide