logo__splash
gray_bg
Configuring ACLs and Wildcards

In this tutorial, we are going to illustrate how to configure extended access-lists on two routers using wildcards to restrict access in and out of the WAN routers.

In this example we need to configure router B to permit traffic inbound to a local web server (172.16.2.30) from a subset of XYZ company's LAN segment (192.168.1.1-15). In addition to this, router A is only going to allow outbound connectivity to the sales office's web server.

Router A  
SYNTAX DESCRIPTION
conf t Enter Global Configuration mode
access-list 150 permit ip 192.168.1.0 0.0.0.15 host 172.16.2.30 Configure ACL to permit traffic from local LAN to remote sale's office web server (wild card covers the following network range: 192.168.1.0/28). "See Config Tips" for a full explanation
interface fastethernet 0/0 Enter interface-config mode
access-list 150 in Applies ACL to the interface inbound (from the direction of the local LAN to the interface)
   
Router B  
conf t Enter Global Configuration mode
access-list 150 permit ip 192.168.1.0 0.0.0.15 host 172.16.2.30 Configure ACL to permit traffic from local LAN to remote sale's office web server (wild card covers the following network range: 192.168.1.0/28)
interface fastethernet 0/0 Enter interface-config mode
access-list 150 out Applies ACL to the interface outbound (from the direction of the interface out to the local LAN segment)
Config Tips:
Site Map / Legal / © Copyright 2006 enetworktutor.com

Wildcards are a little tricky. The quick way to figure them out is to first determine the network or subnet you are trying define. For example, you want to define 200.200.200.128/26 (/26 is the same as 255.255.255.192). To specify this mask as a wildcard simply take the number 256 and subtract the last whole number where bits are borrowed within the subnet--which is the number 192 in the last octet, in this example. 256-192=64. Take the resulting number, 64, and subtract 1. This will give you the last number to use in the wildcard. So 200.200.200.128/26, as a wild card in an access-list would look like the following: 200.200.200.128 0.0.0.63