Access List Help!

[Darren1111]

For some reason my coworker and I can't figure out how to limit the following range of address to access port 443 on a server through our PIX firewall. Can anyone guide us to how we should setup an access-list to do this? It's very important that they can only access port 443 on the server. Thanks in advance for any help you can offer.

network range: 209.135.205.135 - 209.135.205.253

 

[bell1996]

Try this:

access-list 100 permit tcp host 209.135.205.135 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.136 255.255.255.248 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.144 255.255.255.240 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.160 255.255.255.224 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.192 255.255.255.224 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.224 255.255.255.240 host x.x.x.x eq 443
access-list 100 permit tcp 209.135.205.240 255.255.255.248 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.248 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.249 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.250 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.251 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.252 host x.x.x.x eq 443
access-list 100 permit tcp host 209.135.205.253 host x.x.x.x eq 443


Where x.x.x.x is the IP address of the server

You really need to start and end your IP addresses at the appropiate bit boundary to make it easier. Otherwise, you have to use the above statements. It just makes the ACL a little longer.

 

[Darren1111]

Thanks for the help Bell! We were thinking about the following also.....what are your thoughts?



access-list 100 permit tcp host 209.135.205.128 255.255.255.128 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.128 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.129 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.130 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.131 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.132 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.133 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.134 host x.x.x.x eq 443
access-list 100 deny tcp 209.135.205.254 host x.x.x.x eq 443

 

[lgarner]

permit host" means a host. If you have a subnet to permit, drop the "host" keyword.

Put the "deny" statements ahead of the "permit", or they will be ignored.

Lee.

 

[bell1996]

My fellow tek-tipper Igarner has a point. You can certainly do it the way you statement, but put all the deny statements first than your single permit statement.

 

[Darren1111]

Thanks everyone for your help! We'll be impletmenting soon and I'll let you all know how it goes.

Thanks,
Darren