|
Posted by Barry Margolin on June 26, 2008, 10:30 pm
> Hello, Barry!
>
> ??>> Trying to block access from "inside" to "dmz1"...
> ??>>
> ??>> interface Ethernet0/1
> ??>> nameif inside
> ??>> security-level 100
> ??>> ip address 192.168.1.1 255.255.255.0
> ??>> !
> ??>> interface Ethernet0/2
> ??>> nameif dmz1
> ??>> security-level 2
> ??>> ip address 192.168.2.1 255.255.255.0
> ??>> !
> ??>> access-list acl_outgoing extended deny ip any 192.168.2.0
> ??>> 255.255.255.0
>
> BM> That should be 0.0.0.255.
>
> ??>> access-list acl_outgoing extended permit ip any any
> ??>> !
> ??>> access-group acl_outgoing in interface inside
> ??>>
> ??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
>
> BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
> BM> netmask instead of a wildcard mask.
>
>
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ?
>
> configure mode commands/options:
> A.B.C.D Netmask for source IP address
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1
You didn't say what model it was earlier, I thought it was an IOS
router. IOS uses wildcard masks, which are the complement of netmasks.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map