routing question access lists..

Q

questionz

n00b
Joined
Apr 5, 2004
Messages
2
i just had a question that my instructor provided me with .. and im not sure if what im doing is right ...help making access list?


-The company has an Internet Web Server host that all systems can reach at IP address 172.16.0.1 with only HTTP access. no other protocls will be permitted to this site.
-The company also has a server pool in the 209.0.0.0/24 network. Server pool addresses are divided in half. The servers in the upper half of the address range are reachable by management hosts using all possible IP protocols. The servers in the lower half of the address range are reachable by all LAN hosts using all possible IP protocols. The servers should not be accessible by any other hosts.
-Company has discovered an Internet Web server at 198.0.0.1 that contains viruses. All hosts are banned from reaching the site.

production host ip 172.25.32.1
management host ip 172.25.35.253
subnets 255.255.252.0
 
I hate reading problems! But here's my lame-assed attempt at it.

I do not grasp your definition of management without the appropriate subnet mask. Is it a single management IP or a range? It is not clear what the range is and any possble solution is minimally impacted by it. In one spot you say management hosts and in the list you designate the management host, singular.

The explicit deny is not required but I like to include them as they are easier to think about when you see them in print. You also did not say what the default action was and it will, therefore, be denial of access.

access-list whatever permit tcp any host 172.16.0.1 eq www
access-list whatever permit ip 172.25.I-dont-understand somemask-to-go-along-with-this 209.0.0.128 0.0.0.127
access-list whatever permit ip 172.25.I-still-dont-understand somemask-to-go-along-with-this 209.0.0.0 0.0.0.127
access-list whatever deny ip any host 198.0.0.1 (or deny ip any any as is the default implicit which would include this)
 
this is what i got
access-list 101 deny tcp host 0.0.0.0 198.0.0.1 0.0.0.0 eq www
access-list 101 deny tcp 172.25.32.1 0.0.0.0 209.0.0.0.0 0.0.0.127
access-list 101 deny tcp 172.25.35.253 0.0.0.0 209.0.0.128 0.0.0.127
access-list 101 permit tcy any 172.25.0.0 172.16.0.1
access-list 101 permit any any

but when i used this i couldnt ping my router from my pc or router to pc .. what should i change?
 
You must log in or register to reply here.
Back
Top