Solved

Restricting access to IP Ranges

Posted on 2004-08-31
2
341 Views
Last Modified: 2010-04-17
I am a newb to writing access lists and so far have gotten away with minimal training, however I need some help trying to write an access list that will restrict access to certain websites or ip ranges. One of the websites is http://www.lexisnexis.com. I did an arin search and found that they have the following:
NetRange:   207.24.42.0 - 207.24.45.255
CIDR:       207.24.42.0/23, 207.24.44.0/23

The current access list looks something like the following which allows access to all IP ranges:
access-list 100 permit tcp host 192.168.113.160 any eq 443
access-list 100 permit tcp host 192.168.113.160 any eq www

What would be the easiest way to rewrite the access list to let machine 192.168.113.160 access the range 207.24.42.0 - 207.24.45.255.

Any help or point in the right direction would be appreciated greatly.


0
Comment
Question by:ford_james
2 Comments
 
LVL 3

Assisted Solution

by:fatlad
fatlad earned 25 total points
ID: 11950098
The access list you have there will allow this to occur, the second line will allow the client to access all http traffic on port 80.

If you want to change this so that the range outlined is the only sites it can see, you could enter 510 ACE for each host (just joking) OR you will need to delve into the dark and murky world of the inverse mask!! Come with me now....

I assume that you are familiar with a subnet mask, both in terms of decimal and binary forms.

To set an ACL mask the figures are reversed so when it is shown in binary the 1s are refering to numbers that you want the ACL to check and 0s are what the ACL can ignore. So for your example:

We are looking at the third octet as the important one (the first two octects 207.24 will remain the same). Lets first change the figures into binary
       128      64      32     16      8     4     2     1
42      0        0        1       0       1     0     1     0
43      0        0        1       0       1     0     1     1
44      0        0        1       0       1     1     0     0

From this we can see that the first 5 bits are the same (00101) for all three figures. However if we were to only consider the final 3 we would also be including 40, 41,45 - 47. Which we don't want. We will therefore need to have two ACE; one for 42 & 43 (which can be summarised with the first seven bits) and one for 44 which need to have all the bits in the third octet reviewed.

The new ACL lines would therefore be

access-list 100 permit tcp host 192.168.113.160 207.24.42.0 0.0.1.255
access-list 100 permit tcp host 192.168.113.160 207.24.24.0 0.0.0.255

You could, of course, add the eq keyword to the end of both ACEs to restrict the layer 4 traffic if you want.

Hope that helps

FatLad
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 25 total points
ID: 11954154
> access-list 100 permit tcp host 192.168.113.160 207.24.24.0 0.0.0.255

should be

access-list 100 permit tcp host 192.168.113.160 207.24.44.0 0.0.1.255

Note that they have four adjacent Class C blocks, and so it would be tempting to write it as a single /22, using 0.0.3.255 as the wildcard mask.  But their bloack aren't aligned on a /22 boundary, so this can't work.


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS on-premise and on-cloud 15 123
ACL Logging Optimization 7 41
Router assigned IP addresses 18 88
Local DNS and Home Routers 4 29
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now