Solved: Re: access-list for 255.255.248 subnet

visteknetworking · ‎03-12-2010

Hi

I am in the proccess to change my subnet mask from 192.168.0.0/24 to 192.168.0.0/21 bit due to shortage of ip addresses

I am stuck at cisco 2811 router I as don't know exctly which access-list I need to apply.

below is my current access-list

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 2xx.xx.1xx.1xx 0.0.0.7
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 2xx.1xx.2xx.xx 0.0.0.3 host xx.xx.xx.xx
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.31
access-list 130 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.0.248 any
access-list 199 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

Please advice

Thanks

Aaron Harrison · ‎03-12-2010

192.168.0.0/21 = 192.168.0.0 0.0.7.255

Regards

Aaron

Please rate helpful posts..

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎03-12-2010

192.168.0.0/21 = 192.168.0.0 0.0.7.255

Regards

Aaron

Please rate helpful posts..

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

visteknetworking · ‎03-12-2010

thank you very much

works as I hoped it will

i gave you full raitng

Jon Marshall · ‎03-12-2010

If you want to work these out in future -

255.255.248.0

with a reverse mask 255 = 0 so

255.255. = 0.0.

0 = 255

so

255.255.248.0 = 0.0.x.255

to work out what value to use for the 3rd octet ie. 248 subtract 248 from 255 so

255 - 248 = 7

so full mask = 0.0.7.255

another example 255.192.0.0

255 = 0

0 = 255

so 0.x.255.255

to get x

255 - 192 = 63

so full mask = 0.63.255.255

Jon

visteknetworking · ‎03-17-2010

Thank you for the note.

I have notices that i can't access LAN through VPN after changing to subnet as described in post above.

I understand that it's related to access-list once again and based on your explanation tried to change it but no luck so far.

I was wondering if it possible to let me know how it can be fixed.

ip local pool ippool 192.168.6.2 192.168.6.25

access-lists

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 2xx.xx.1xxx.1xx 0.0.0.7
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 2xx.1xx.2xx.xx 0.0.0.3 host 6x.xx.xx.xx
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.31
access-list 130 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.7.255 any
access-list 130 deny   ip 192.168.0.0 0.0.7.255 192.168.6.0 0.0.0.31
access-list 199 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.7.255 192.168.6.0 0.0.0.255

route-map nonat permit 10
match ip address 130
match interface Serial0/1/0

Thank you