Solved: Access-List Deny Range of Ip subnet

e.beaudoin · ‎12-06-2011

Hi, I have a router with a few computers connected to it.

These computers are subneted with a /26 255.255.255.192 There is a computer for each subnet. .2 .66 .130 .194

I am trying do deny access to the outgoing port F1/0 for ips ranging from 10.10.9.63 - 10.10.9.127

I tried to deny access by making a

access-list 1 permit 10.10.9.0 0.0.0.255

access-list 2 deny 10.10.9.64 0.0.0.63

int f1/0

ip access-group 2 out

seems like everything is prohibited.

I am really confused how to do this, with out using nat. Once I try nat, things seem to get even more confusing.

Ignoring nat and dhcp for the moment, how would I get this to work with Ip addresses that are static.

Btw I am using GNS 3, and my router is cisco 7200 and I am using a standard access list.

I basically want to have 3 subnets .0 .128 .192 to be allowed to leave the network and eventually also have nat translate their ip to a range of 192.168.1.1 - 192.168.1.254 (Had this working with out trying to deny a subnet).

All I seem to be able to do is deny everything and I feel like it has something to do with deny being appended to the permit access list at the end.

Any ideas would be great for this noobie!

Jon Marshall · ‎12-07-2011

Eric

Okay this is happening because you NAT the packets then check against the outbound acl. So when the packets are checked against access-list 2 they no longer have source IPs of 10.10.x.x, they have been changed to 192.168.1.x addresses.

So the most traditional way of doing this is to remove your acl from fa0/1 and apply this access-list to the e2/1 interface. Note i am assuming that the 10.10.1.64/26 network is allowed to talk to the rest of the 10.10.1.x subnets but not allowed out past the fa0/1 interface ? If this is not the case let me know -

access-list 101 permit ip 10.10.1.64 0.0.0.63 10.10.1.0 0.0.0.255

access-list 101 deny ip 10.10.1.64 0.0.0.63 any

int e2/1

ip access-group 101 in

and then you need to remove the access list from fa0/1 ie.

int fa0/1

no ip access-group 2 out

You can leave the NAT as it is. What the above will do is allow 10.10.1.64/26 to talk to any other 10.10.1.x subnet but to nothing else.

Jon

View solution in original post

Jon Marshall · ‎12-06-2011

Eric

access-list 1 permit 10.10.9.0 0.0.0.255

access-list 2 deny 10.10.9.64 0.0.0.63

you have an access-list 2 which only has denies in it applied to the interface. Note that in the above you have 2 access-lists ie. not the same one. Try this -

access-list 1 deny 10.10.9.64 0.0.0.63

access-list 1 permit ip 10.10.9.0 0.0.0.255

int fa0/1

ip access-group 2 out

Jon

e.beaudoin · ‎12-06-2011

enable

conf t

int e2/0

ip add 10.10.1.1 255.255.255.192

no shutdown

int e2/1

ip add 10.10.1.65 255.255.255.192

no shutdown

int e2/2

ip add 10.10.1.129 255.255.255.192

no shutdown

int e2/3

ip add 10.10.1.193 255.255.255.192

no shutdown

exit

access-list 1 deny 10.10.1.64 0.0.0.63

access-list 1 permit 10.10.1.0 0.0.0.255

int fa1/0

ip add 10.10.2.1 255.255.255.0

ip access-group 1 out

no shutdown

got it! Awesome. I made a few stupid mistakes but it works well. I am going to apply nat and see if it works. I am assuming that the deny will take place before the addresses are translated. Thanks alot of your help! I will put you as the solution once I get nat working, incase I run into problems.

e.beaudoin · ‎12-06-2011

enable

conf t

int e2/0

ip add 10.10.1.1 255.255.255.192

ip nat inside

no shutdown

int e2/1

ip add 10.10.1.65 255.255.255.192

ip nat inside

no shutdown

int e2/2

ip add 10.10.1.129 255.255.255.192

ip nat inside

no shutdown

int e2/3

ip add 10.10.1.193 255.255.255.192

ip nat inside

no shutdown

exit

access-list 2 deny 10.10.1.64 0.0.0.63

access-list 2 permit 10.10.1.0 0.0.0.255

access-list 1 permit 10.10.1.0 0.0.0.255

ip nat pool 1 192.168.1.2 192.168.1.254 prefix-length 24

ip nat inside source list 1 pool 1 overload

int fa1/0

ip add 10.10.2.1 255.255.255.0

ip nat outside

ip access-group 2 out

no shutdown

Everything gets prohibited here. I'm assuming the access-list is allowing all ips within 10.10.1.0 - 10.10.1.255 to be converted to nat. But the interface is not allowing 10.10.1.64 - 10.10.1.127 to enter the interface to be translated.

VPCS[1]> ping 10.10.2.2
*10.10.1.1 icmp_seq=1 ttl=255 time=19.000 ms (ICMP type:3, code:13, Communication administratively prohibited)

I think I may be a little confused about how this works, I hope I can get some help even if my questions are a bit too simple.

Jon Marshall · ‎12-06-2011

Eric

Everything gets prohibited here. I'm assuming the access-list is allowing all ips within 10.10.1.0 - 10.10.1.255 to be converted to nat. But the interface is not allowing 10.10.1.64 - 10.10.1.127 to enter the interface to be translated.

I'm slightly confused as to what youy are trying to do. I thought you didn't want 10.10.1.64 -> 127 to be allowed out and if it isn't allowed out then it won't be natted.

Perhaps you could explain a bit more bout exactly what you are trying to do.

Jon

e.beaudoin · ‎12-07-2011

Hey Jon, thanks for the reply.

I am trying to deny 10.10.1.64 - 127 but allow everything else to be nated.

My problem seems to be that everything is getting denied meaning 10.10.1.0 - 10.10.1.255.

Id like only to deny 10.10.1.64 - 127 while everything else enters the interface and gets nated.

Jon Marshall · ‎12-07-2011

Eric

Can you try your pings from clients rather than a router interface ie. try a ping from a device in the 10.10.1.64/26 network (which shouldn't work) and then try from a device in any of the other 10.10.1.x networks (which should work).

Your config looks fine.

Jon

e.beaudoin · ‎12-07-2011

Hey Jon, thanks for the reply.

I have been pinging only from the clients.

It works great when nat is not set up. Everything makes it to the next router through my static routes.

(also I have a static route from 192.168.1.0 /24 so everything exiting should go back)

once I add

access-list 1 permit 10.10.1.0 0.0.0.255

Router(config)#ip nat pool 1 192.168.1.2 192.168.1.255 prefix-length 24

Router(config)#ip nat inside source list 1 pool 1 overload

I get

VPCS[1]> ping 10.10.2.2

*10.10.1.1 icmp_seq=1 ttl=255 time=40.000 ms (ICMP type:3, code:13, Communicatio

n administratively prohibited)

VPCS[4]> ping 10.10.2.2

*10.10.1.193 icmp_seq=1 ttl=255 time=60.000 ms (ICMP type:3, code:13, Communicat

ion administratively prohibited)

VPCS[6]> ping 10.10.2.2

*10.10.1.129 icmp_seq=1 ttl=255 time=43.000 ms (ICMP type:3, code:13, Communicat

ion administratively prohibited)

VPCS[8]> ping 10.10.2.2

*10.10.1.65 icmp_seq=1 ttl=255 time=43.000 ms (ICMP type:3, code:13, Communicati

on administratively prohibited)

With out nat I was only getting

VPCS[8]> ping 10.10.2.2

*10.10.1.65 icmp_seq=1 ttl=255 time=43.000 ms (ICMP type:3, code:13, Communicati

on administratively prohibited)

and all other networks were getting a ping back.

after nat, if I add deny in the access for the itnerface, and then a permit of any any, they all go through meaning that the adress has been translated to nat then it is becking checked against the interface access-list! everything is getting denied because the list says to deny .64 - .127 and to allow only 10.10.1.0 - 10.10.1.255. since 192.168.1.0 - 255 is not specified it is denied. when it is specified it is allowed, but if only one packet is being sent, any computer from any network will consume the first available ip in that range, since I am only using a24 for my pool of addresses.

Jon Marshall · ‎12-07-2011

Eric

Okay this is happening because you NAT the packets then check against the outbound acl. So when the packets are checked against access-list 2 they no longer have source IPs of 10.10.x.x, they have been changed to 192.168.1.x addresses.

So the most traditional way of doing this is to remove your acl from fa0/1 and apply this access-list to the e2/1 interface. Note i am assuming that the 10.10.1.64/26 network is allowed to talk to the rest of the 10.10.1.x subnets but not allowed out past the fa0/1 interface ? If this is not the case let me know -

access-list 101 permit ip 10.10.1.64 0.0.0.63 10.10.1.0 0.0.0.255

access-list 101 deny ip 10.10.1.64 0.0.0.63 any

int e2/1

ip access-group 101 in

and then you need to remove the access list from fa0/1 ie.

int fa0/1

no ip access-group 2 out

You can leave the NAT as it is. What the above will do is allow 10.10.1.64/26 to talk to any other 10.10.1.x subnet but to nothing else.

Jon

e.beaudoin · ‎12-07-2011

Thanks, it works well now. When I tried to deny on the interface of the 64 network I did it wrong. I was trying to deny its destination thinking I can target the interface 10.10.2.1 but it wasnt destined there, it was just passing through.

Now I understand that I need to allow the incoming packets in that network to go to a destination range of my choice, then just deny everything else. It wont make it to the interface to be nat. Thanks A lot, I really appreciate the help.''Btw I am a network begginer, if you know some tutorials that would be awesome!

Anyways thanks a lot!

Jon Marshall · ‎12-07-2011

Eric

Glad you got it working. My apologies because i should have spotted that earlier when i said your config was fine.

A very useful doc when dealing with IOS with NAT/acls etc. is this one which tells you the order the router does things in -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

you can see from this that NAT happens before any outbound access-lists are checked and this explains what was happening with your config.

As for tutorials it really depends on what you are trying to do. Cisco has a huge amount of docs many of which are configuration docs to achieve specific things. Also if you are a network beginner you may want to consider purchasing a CCNA book, even if you don't intend to actually take the CCNA exam.

And of course there is always this site where there are many people who are only too happy to help with configuration problems and also explaining any concepts that you may be struggling with. Feel free to post any queries you have in the future

Jon

m.alshaweesh@extensya.com · ‎10-16-2017

I have an IP from Vlan i want to create an access-list that deny all ips from my LAN to communicate with this ip just i want 4 ip's Communicate with this IP , can any one help me ?? i want to configure this access list on cisco 4507 switch.

m.alshaweesh@extensya.com · ‎10-16-2017

I have an IP from Vlan i want to create an access-list that deny all ips from my LAN to communicate with this ip just i want 4 ip's Communicate with this IP , can any one help me ??

i want to configure this access list on cisco 4507 switch.