Solved: access-list on secondary IP

edongskiu · ‎05-21-2006

Hi,

I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.

example

(primary blocking internet access access-list)

ip access-list extended http100

permit tcp host 10.99.100.1 host 10.108.20.1 eq 80

ip access-list extended http100

permit tcp host 10.99.102.1 host 10.108.20.1 eq 80

permit ip any any

would the commands above block the internet of the secondary IP 10.99.102.x?

thanks,

Eduard

Richard Burts · ‎05-22-2006

Eduard

I am not certain that I fully understand what you are attempting to accomplish. But this example is much better and shows what I think is the main point of the discussion. There can be only one IP access list inbound on an interface and only one IP access list outbound on an interface. Any access list on the interface will control access for both the primary subnet and any secondary subnets that are configured on the interface.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎05-21-2006

Eduard

I do not understand what you have posted. I gather that you have a router and on one interface there is a primary address and a secondary address. I gather that you want to prevent devices in the secondary subnet from accessing Internet. Then you post an example of access list. But the example first shows an extended access list with a single line that permits a single host (apparently in the primary subnet) to access a single destination host on http. Then your post has the same extended access list name with two lines where one line permits a single host in the secondry subnet to access the remote host on http and then a permit ip any any which will allow any end station to access anything.

I do not understand why you show two access lists with the same name. The effect of doing this is that IOS will combine all 3 statements into one access list. And the resulting access list will permit all end stations on that interface to access any destination.

Perhaps you can clarify what you are trying to do and how you are trying to do it.

HTH

Rick

HTH

Rick

edongskiu · ‎05-21-2006

Hi Rick,

I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.

My question is how do i block secondary internet access by using an access-list?

I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.

Hope this is clearer.

oh,i think i missed typed something on the access-list, let me create another example:

ip access-list extended http101

permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)

permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)

deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80

deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80

permit ip any any

all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1

thanks,

Eduard

Richard Burts · ‎05-22-2006

Eduard

I am not certain that I fully understand what you are attempting to accomplish. But this example is much better and shows what I think is the main point of the discussion. There can be only one IP access list inbound on an interface and only one IP access list outbound on an interface. Any access list on the interface will control access for both the primary subnet and any secondary subnets that are configured on the interface.

HTH

Rick

HTH

Rick