cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
3
Helpful
6
Replies

Re: access-list checker

Sectech1
Level 1
Level 1

This is the current ACL that is blocking this range. 

410 deny ip any 10.250.0.0 0.0.255.255

I want to allow just 1 host from the above range to go through

6 Replies 6

Sectech1
Level 1
Level 1

Hi Guys

I have access list that deny a range of IPs to the internet.

I want to allow individual host to internet to talk to a server in the internet. can you please help?

@Sectech1 you can add allowed host entry on high priority on existing ACL, like

409 permit ip any <IP_you_Want_to_Allow> 0.0.0.0

if still you facing issue, i would request please share output of below commands

  • sh ip access-list
  • sh run | Sec access-list

Rich R
VIP
VIP

You should probably read and understand these pages to get a basic understanding of how ACLs work:
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
And if you search you'll find hundreds of examples and videos.

In this case you just need to insert a line before 410 with:
"permit ip host <ip address> any" or maybe "permit ip any host <ip address>" depending on where your ACL is configured and which direction you're filtering the traffic.

Hello
So then you would need to amend that access-list to permit that single host and to do that an additional access-list control entry (ace) needs to be added and serviced before that 410 deny ace

example:
ip access-list extended xxx
409 permit ip any host 10.250.x.x 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul's provided the direct answer.

To be clear, the x.x in 10.250.x.x would be any specific/one address, from 10.250.0.0 to 10.250.255.255.  I.e. although for a /16, the useable range is 10.250.0.1 to 10.250.255.254, the new ACE matches one address within the /8 address block range.

Paul also shows the new ACE with a sequence number of 209.

First, it's possible 209 is being used.  Second, what's important is the new permit ACE is before the current deny ACE.  Third, having the two ACEs, back to back, is helpful from a maintenance standpoint.

what direction of this ACL ? 

Review Cisco Networking for a $25 gift card