Help with ACL's please

Research & Development

223.0.0.0/26- Net address
223.0.0.1 -default gateway
223.0.0.2 -vlan address
223.0.0.3 ~ .62 223.0.0.63 -host addresses
255.255.255.192 -subnet mask

The 223.0.0.3 address is saved for the department head, they have access the everything. I have created this access list with the hosts not having FTP or Telnet access, could someone tell me if they will work like this:

access-list 111 permit host 223.0.0.3
access-list 111 permit ip any host 223.0.0.0 0.0.0.255 any eq www
access-list 111 deny ip any host 223.0.0.0 0.0.0.255 any eq ftp
access-list 111 deny ip any host 223.0.0.0 0.0.0.255 any eq telnet

Thanks and any help will be wonderful.
Kevin

I just want to know if I put these on the router, will they work.

Thanks
Kevin

access-list 111 permit host 223.0.0.3
access-list 111 permit ip any host 223.0.0.0 0.0.0.255 any eq www
access-list 111 deny ip any host 223.0.0.0 0.0.0.255 any eq ftp
access-list 111 deny ip any host 223.0.0.0 0.0.0.255 any eq telnet

Thanks and any help will be wonderful.
Kevin

--Looking at the access-list I can say it won't work. The reason being, if you want to filter the network by Application Layer, you MUST choose an entry here that allows you to go up through the OSI model. So, for www, ftp, telnet you must choose *TCP*. If you were to choose IP as you did, you would never leave the Network Layer.

So change the Protocol field entry from IP to TCP.

thanks a whole alot

Hi all. You all seem knowledgeble in ACLs, so if I may ask a question? How would one make a ACL that blocks odd ips, such as 192.168.15.1 - 192.168.15.3 ..... , but lets through even ip's aka 192.168.15.2 - 192.168.15.4 etc.... If you can help me, I would be greatly appreciative.

Greetings,

In reply to fallenZer0 his post:

I was under the presumption that if you specify IP, it included TCP, UDP and ICMP. My guess would be that the ACL's posted by kevinbroga would work.

Greetings,

Stefan