LinkBack URL
About LinkBacks
Cisco access list problem
Calling all Cisco bods.
Having a bit of a 'mare with this access list/security issue... any help appreciated!
Have spent far too many hours over the past few days trying to get it to work, I am pretty sure the problem lies in me not understanding the wildcard masks correctly.
Diagram of the network can be found here - http://www.thebeef.org/network.JPG
The goal is to do the following:
1) Prevent machines from within Boaz LAN (172.23.0.0/5) from accessing anything other than fileserver 1.
2) Machines on Center LAN can access anywhere on the network
3) Routers can access anywhere
The first thing I tried was to setup an extended ACL that denied all traffic unless its destination was the fileserver... and apply this to fa0/0 inbound on Boaz. ACL user:
access-list 150 permit ip any host 172.23.48.2
(access-list 150 deny ip any any)
ip access-group 150 in
This achieved goal 1 (machines on Boaz could not ping anything but the fileserver). However, only the file server could ping within the Boaz LAN.
I also tried a number of other ACL’s based around the following:
permit ip any host 172.23.48.2
deny ip 172.23.80.0 0.0.0.254 any
permit any ip any
The way I read the above is as follows. 1) Any traffic going to the fileserver is allowed. 2) Any traffic sourced within Boaz LAN (other than what was allowed by (1) ) is denied. 3) The remaining traffic (anything sourced from outside Boaz) is allowed to pass through the Ethernet port. (I.e. pongs initiated by WS2).
However this did exactly the same, and again only fileserver 1 could ping within the LANs.
Am I missing something blatantly obvious here guys?
If anyone could help that would be awesome, as I'm pulling me hair out!
Cheers
Reply With Quote
SCAN.care@HEXUS
