Skip to main content

Acess List for range of hosts

More
16 years 9 months ago #25145 by jtartist
Just a hypothetical, if I wanted to setup an access list that
would only permit hosts .1 thru .10 access to the web, would this
be the correct way to do this without giving other hosts on the /24 network access?

access-list 101 permit tcp 192.168.1.0 0.0.0.4 any eq 80
access-list 101 permit tcp host 192.168.1.8 any eq 80
access-list 101 permit tcp host 192.168.1.9 any eq 80
access-list 101 permit tcp host 192.168.1.10 any eq 80


I was thinking if I were to setup something like this...

access-list 101 permit tcp 192.168.1.0 0.0.0.8 any eq 80

...that it would give users between 1 thru 15 access. I'm not
sure if I'm understandig this the right way though, so I'm hoping someone can clarify this for me if I'm incorrect.

Thanks,

JT
More
16 years 9 months ago #25146 by Smurf
Hi,

Remember for the inverse mask youi subtract it from 255, so

To have the 8 hosts (0-7), you would have a subnet of;

255.255.255.248.

255.255.255.255
- 255.255.255.248
0 . 0 . 0 . 7

Therefore, for you example, you would in fact have;

access-list 101 permit tcp 192.168.1.0 0.0.0.7 any eq 80

then the others you identified.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 9 months ago #25157 by emperorz
yes, the above explanation seems fine :

In this type of scenario, first calculate the subnet mask, subtract it from from 255 to get the wild card mask.
then use one single acl statement to cover a range of hosts.If for specified hosts, the wildcard mask should be 0.0.0.0 ( all bits to match)
Time to create page: 0.116 seconds