Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
10
Helpful
4
Replies

Access list not saving correctly

kharris
Level 1
Level 1

‎01-26-2005 10:59 AM - edited ‎02-20-2020 09:26 PM

I have a 1760 Router (IOS v12.2).

I'm trying to apply the p2p access-lists based on the CISCO article online.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml

The article shows a PIX, but I'm trying to put them on a router that sits in front of our PIX.

Every time I enter the access-list shown for "Blubster/Piolet Configuration", the access-list looks different when I go to view it.

-------------------------------------

Router(config)#int fa0/0

Router(config-int)#ip access-list extended blockp2p

Router(config-ext-nacl)#deny tcp any 128.121.0.0 255.255.0.0 eq 80

Router(config-ext-nacl)#deny tcp any any eq 4662

Router(config-ext-nacl)#permit ip any any

Router(config-ext-nacl)#^Z

Router#sh access-list

Extended IP access list blockp2p

10 deny tcp any 0.0.0.0 255.255.0.0 eq www

20 deny tcp any any eq 4662

30 permit ip any any (2217825 matches)

Router#

-------------------------------------------------

I don't understand why "128.121.0.0 255.255.0.0 eq 80" gets' changed to:

"0.0.0.0 255.255.0.0" eq www

Can anyone elaborate??

Labels:
0 Helpful
4 Replies 4

Kevin Dorrell
Level 11
Level 11

‎01-26-2005 12:12 PM

Your problem is that the router access list is expecting a wildcard mask rather than a subnet mask. You are telling it "the first byte is 128, but I don't care what any of the bits are; the second byte is 121, but I don't care what any of the bits are; the thrid byte is 0, and I do care what the bits are ...etc."

The line you want is deny tcp any 128.121.0.0 0.0.255.255 eq 80

I don't know the PIX, so I gotta ask this question. Does the PIX really use subnet masks in its access lists instead of wildcards? Does Cisco really have two products that use precisely the opposite conventions? 8-(

Kevin Dorrell

Luxembourg

steve.busby
Level 10
Level 10
In response to Kevin Dorrell

‎01-26-2005 01:50 PM

Just my 2 cents here, but yes, Cisco has many, many products using many different conventions. Since Cisco buys lots of their technology, they can usually rebrand the external box quickly enough, but it takes lots more time and revisions to get the IOS/OS into the Cisco "way".

0 Helpful

kharris
Level 1
Level 1
In response to Kevin Dorrell

‎01-27-2005 09:35 AM

Well, I had the same thought when I looked at it, but I assumed the PIX and the Router worked the same. I just wanted to get second opinion, but I will re-try with the "stander" wild-card mask. Since I was taking it directly from CISCO's sight, I thought I might be missing something.

I am new to using the PIX also. The compan I work for alredy had it in place with a bunch of access-lists already configured. The router was the easier of the two to work on, since it had little configuration, and sits in front of the PIX.

Thanks for the response. I'll try it next time I get a chance.

0 Helpful

kharris
Level 1
Level 1
In response to kharris

‎01-27-2005 12:06 PM

Re-entered the wild card mask in the router with 0.0.255.255 and it took it. I guess the PIX handles them differently.

Pardon my typos earlier....

Thanks.

Kyle

0 Helpful
Customers Also Viewed These Support Documents