?
Solved

Access List for Cisco # 2

Posted on 2009-02-23
5
Medium Priority
?
360 Views
Last Modified: 2012-05-06
Hi,

1) There are the following access list which i am still getting confused (for some portion) (and i do not have the "practice labs" to try it
2)The information is as the followings:
- The Host IP : 192.168.1.128/28
- The Server is 192.168.1.5
- The Goal : To block only Telnet access by the Host to the Server
- The Access list: i) access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23,
ii) access-list 101 permit ip any any

3) The things that i do not understand: i) ...... 192.168.1.5 0.0.0.0 .....
4) My Question: i) Why is ....0.0.0.0 ? (Why NOT .....0.0.0.15?)
5) Any help?
6) Thank you

Tjie
0
Comment
Question by:tjie
  • 4
5 Comments
 
LVL 10

Assisted Solution

by:kyleb84
kyleb84 earned 600 total points
ID: 23717427
access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23

This isn't the correct way, this is actually blocking Telnet
- From 192.168.1.128 - 192.168.1.143
- To 192.168.1.5

The correct ACL to BLOCK Telnet access to 192.168.1.128 FROM 192.168.1.5

access-list 101 deny tcp host 192.168.1.5 host 192.168.1.128 eq telnet
access-list 101 permit any any

This ACL would then be applied on the port closest to the server on OUTBOUND traffic (From the switch, to the server).
0
 
LVL 10

Assisted Solution

by:kyleb84
kyleb84 earned 600 total points
ID: 23717469
Ah sorry, just noticed the /28

Revised to fit 192.168.1.128/28

access-list 101 deny tcp host 192.168.1.5 192.168.1.128 0.0.0.15 eq telnet
( DENY TCP FROM HOST 192.168.1.5 TO 192.168.1.128 - 143 with DEST PORT 23 )


0
 
LVL 10

Assisted Solution

by:kyleb84
kyleb84 earned 600 total points
ID: 23717491
Oh, and don't forget the:

# access-list 101 permit any any

After the deny rule, Cisco assumes there's an invisable DENY ANY ANY at the end of every ACL, so you must put a permit any any else you'll block EVERYTHING.
0
 
LVL 5

Accepted Solution

by:
ionut_mir earned 1400 total points
ID: 23719117
Wildcard of 0.0.0.0 means that is a host address.
You can use as well the command:
access-list 101 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5  eq 23 --> I replaced 0.0.0.0 with word "host", but I put this in front of IP address.

Wildcards are used like subnet masks but in inverse mode: "0" makes a match, "1" is don't care.

If you put 0.0.0.15 this access-list will deny any IP from range 192.168.1.0 - 128 and to any address of same range. You need to block the access only to one host. That is why it is used the "host wildcard" - 0.0.0.0

Hope you get something! :)
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 23726607
"If you put 0.0.0.15 this access-list will deny any IP from range 192.168.1.0 - 128"

A single wildcard value that blocks 0-128, and allows the rest isn't possible, since the bit to make 128 is the eighth (1000 0000) and therefore would block the entire 0-255 range when put with the rest to block 0-127 (0111 1111)

.15 as the author wrote is /28 and only matches 16 addresses
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question