Access-list question

[ianbla]

I have a customer link, I only want machine on the following network to access the customer and vise versa;

192.168.26.16 255.255.255.240

If I enter the following on the 3640;
access-list 180 permit ip 192.168.26.16 255.255.255.240 any log
access-list 181 permit ip any 192.168.26.16 255.255.255.240 log

It changes to;
access-list 180 permit ip 0.0.0.0 255.255.255.240 any log
access-list 181 permit ip any 0.0.0.0 255.255.255.240 log

What I am doing wrong?

 

[nohair]

Hi,
When using access-lists, the mask is reversed, it's called a wildcard mask. Your entry should read
access-list 180 permit ip 192.168.26.16 0.0.0.15 any log

The reason for this is when matching wilcard masks, 1's are deemed don't care bits, 0's must match exactly, and probably it is back to front as you are working from right to left (instead of left to right when doing subnet mask stuff). Maybe some here knows the proper reason.
So this will allow though any IP in subnet 192.168.26.16/28
Strangely though, the Cisco Pix does work with the mask the "proper" way round.

BR,

-Stephen

 

[ianbla]

Many thanks, I shall try it now.

Cisco, they don't make life easy. As if IP & Subnets wasn't a pain as it is.