Re: access list to block intranet ip range & allow other ip

Anil Kumar · ‎03-08-2011

I want to know how to create the access list to block all intranet ip range & allow other internet ip range.

Natted IP to 10.7.145.2 ( which is having internet access ) range 255.255.255.128 ( setting up wifi on linksys router)

I did this way & coudn't succeed to create access list, i have no idea whether I was doing it correct way or not.

access-list 102 permit ip 10.7.145.0 0.0.0.128 10.7.145.0 0.0.0.128 ( communicate within this range )

access-list 102 permit ip 10.7.145.0 0.0.0.128 192.168.248.1 0.0.0.0 ( 248.1 is the main gateway )

access-list 102 permit ip 10.7.145.0 0.0.0.128 192.168.248.2 0.0.0.0 ( 248.2 is firewall internal ip )

block all intranet ip range ( not actual command )

allow all internet ip range ( not actual command )

but the above thing is not working..

Can somebody help me.

cadet alain · ‎03-08-2011

Hi,

I want to know how to create the access list to block all intranet ip range & allow other internet ip range

Can you be more precise please and if possible post a diagram.

Regards.

Alain.

Don't forget to rate helpful posts.

Anil Kumar · ‎03-09-2011

PFA

access list needs to be created on L2 ( 2950 )

block all internal lan range or full private ip range except 192.168.248.1 & 254, 10.7.145.0/25 & allow all other public ip range

cadet alain · ‎03-09-2011

Hi,

Why do the ACLs on the L2 device?

block what from what this is very vague.

Regards.

Don't forget to rate helpful posts.

Anil Kumar · ‎03-09-2011

10.7.145.0/25 is on vlan on L3

linksys router is connected to L2 switch 45th port, so I want to create access list on L2 Switch & assign access-group only to 45th port.

I don;t want 10.7.145.0/25 to peep into other internal vlan 's ( full blockage to internal lan vlan's & full access to outside world )

Anil Kumar · ‎03-09-2011

I created like this & it worked, anything need to modify to secure it from outside world ( main purpose is 10.7.145.0/25 should not be able to access inside private ip range , is the below ACL ok. ? will the below deny list allows ip address starting with 172.32.0.0 ?

access-list 102 deny ip 10.7.145.1 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 10.7.145.1 0.0.0.255 172.16.0.0 0.15.255.255
access-list 102 deny ip 10.7.145.1 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.7.245.1 0.0.0.255 any

cadet alain · ‎03-09-2011

main purpose is 10.7.145.0/25 should not be able to access inside private ip range , is the below ACL ok. ?

10.7.145.0/24 will be denied by your ACL and so 10.7.145.0/25 which is a subnet will be denied but all other subnets also.

will the below deny list allows ip address starting with 172.32.0.0

access-list 102 permit ip 10.7.245.1 0.0.0.255 any will permit access to 172.32.0.0 from 10.7.245.0

and the implicit deny all at the end will deny acces from anything else( including 10.7.145.0) to anything( including 172.32.0.0)

Regards.

Alain.

Don't forget to rate helpful posts.

Anil Kumar · ‎03-09-2011

its not 10.7.245.0 its 10.7.145.0 ( actually 10.7.145.0 should have access to entire subnet 10.7.145.0 )

is tat access list ok.?

cadet alain · ‎03-09-2011

its not 10.7.245.0 its 10.7.145.0 ( actually 10.7.145.0 should have access to entire subnet 10.7.145.0 )

In your previous post the last line in the ACL was mentioning 10.7.245.0 maybe this was a typo when posting here but I answered about the

lines you posted.

Don't forget to rate helpful posts.

Anil Kumar · ‎03-09-2011

is that access list ok. or something else needs to be added. ?

cadet alain · ‎03-09-2011

Try it and see the lines hitcounts.

Don't forget to rate helpful posts.

Anil Kumar · ‎03-09-2011

how to check that count..any special command ?

I checked sh access-list it was showing some numbers @ last

cadet alain · ‎03-09-2011

I checked sh access-list it was showing some numbers @ last

these are the hit counts.

Don't forget to rate helpful posts.