Solved: Access list to restrict certain IPs

mackelkin1 · ‎09-19-2015

I'm a software engineer with basic cisco expertise and I have recently been tasked with managing our network infrastructure, which has a cisco router which connects to the Internet. There is a switch which is connected the cisco router and all the workstations on the LAN connect to that switch.

The cisco router is the gateway with an IP of 192.168.1.254 and we have several wireless access points with the IPs of 192.168.1.250 through to 192.168.1.253. There LAN IPs for the workstations are assigned manually because of the company I.T policies, to avoid devices (phones, tablets etc) being added to the network. All the IPs for the workstations are in the range 192.168.1.101 through to 192.168.1.150.

I would want to create a standard or extended access list that will do the following:

#1. Allow all machines that has a valid IP i.e any IP from 192.168.1.101 to 192.168.1.150 to connect to the cisco router and consequently access the Internet. Thus a machine with an IP such a 192.168.1.122 would have its traffic go through.

#2. Deny any devices that does not have a valid IP to connect to the Internet. Thus a machine with an IP such as 192.168.1.15 would not get access to the Internet.

When checking the current access list configuration, it showed something along the lines of what I outline below (can't get the exact wording since I'm not in the office)

Extended list 102

10 192.168.1.0 0.0.0.255 any

I have tried to reading through a lot of cisco tutorials on this subject of ACL, but I haven't come across one that defined a block range of IPs. I would appreciate it if someone would give me insight on how I would achieve to configure the above ACL.

Suresh Vinayagam Subramanian · ‎09-19-2015

Hello mackelkin1,

I understand that you wanted to block 192.168.1.0 to 192.168.1.100 access to internet and remaining should be permit. There are multiple ways to do it.

you can use below ACL to do same.

conf t

ip access-list extended 102

10 deny 192.168.1.0 0.0.0.63

20 deny 192.168.1.64 0.0.0.31

30 deny 192.168.1.96 0.0.0.3

40 permit any any

and apply this ACL to physical interface (where the conifg is already applied in your router).

inter face gix/x

ip access-group 102 out

you can refer below link for more details.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

HTH
Regards,
VS.Suresh.
*Plz rate the usefull posts *

View solution in original post

Seb Rupik · ‎09-19-2015

Hi there,

The ACL you listed is most likely used on the NAT statement. We can modify it to only permit the range you specified:

!

ip access-list ext 102
  no 10
  permit 192.168.1.96 0.0.0.31 any
  permit 192.168.1.128 0.0.0.31 any
  deny 192.168.1.0 0.0.0.255 any
!

It is worth noting that the range you requested doesn't fit nicely within bit boundaries. As such the above ACL will permit devices with a source address in the range 192.168.1.96 - 192.168.1.159 . If you wanted just the range you specified, you'd need the following:

!
ip access-list ext 102
  no 10
  permit 192.168.1.101 0.0.0.0 any
  permit 192.168.1.102 0.0.0.1 any
  permit 192.168.1.104 0.0.0.3 any
  permit 192.168.1.108 0.0.0.7 any
  permit 192.168.1.112 0.0.0.15 any
  permit 192.168.1.128 0.0.0.15 any
  permit 192.168.1.144 0.0.0.7 any
  deny 192.168.1.0 0.0.0.255 any
!

Which is a bit more verbose, but would work.

cheers,

Seb.