topic Re: IOS to ASA ACL conversion in Network Security

IOS to ASA ACL conversion

neospitz — Mon, 11 Mar 2019 10:12:36 GMT

Dear all,

I have this IOS ACL:

permit tcp any 172.16.32.64 0.3.255.31 eq www

that needs to be converted to an ASA ACL. How should I configure my firewall with minimum numbers of lines within the ACL and/or object group?

I don't really want to define 700+ lines inside one network object group and this is just one of the IOS ACL that I need to convert.

Thanks in advance

Re: IOS to ASA ACL conversion

joshua.walton — Sat, 12 May 2007 20:40:58 GMT

permit tcp any 172.16.32.64 0.3.255.31 eq www = 1 line, not 700.

*shrugs*

Re: IOS to ASA ACL conversion

neospitz — Sun, 13 May 2007 21:24:33 GMT

well, if it really works like this I would be really happy.

However ASA does not seem to like wildcard mask and I really have a hard time migrating IOS ACL to PIX/ASA ACLs.

Cheers

Toby

Re: IOS to ASA ACL conversion

laurent.geyer — Mon, 14 May 2007 14:53:46 GMT

That's a mighty strange network mask.

In IOS the netmasks are inverted and going by what you posted the mask would translate to 255.252.0.224.

I don't see how a router would even accept that network mask.

Re: IOS to ASA ACL conversion

laurent.geyer — Mon, 14 May 2007 15:22:13 GMT

Nevermind.

Re: IOS to ASA ACL conversion

srue — Mon, 14 May 2007 18:10:48 GMT

neospitz,

double check your IOS mask and repost.

Re: IOS to ASA ACL conversion

neospitz — Mon, 14 May 2007 21:41:52 GMT

Hi Srue

Actually the ACL should read as follow:

permit tcp any 172.16.0.64 0.3.255.31 eq www

It does not really matter if the IP address of 3rd octet is 32 or 0 as the corresponding wildcard mask is 255 which means it matches from 0 to 255.

The ACL is correct as this line was allowing access to web service within each Class C network address 64 - 95 by the IOS router.

I've also tried the subnet mask 255.252.0.224 but ASDM reject this mask value. I was able to keyed it in under CLI but firewall has trouble matching packets with this line.

Re: IOS to ASA ACL conversion

laurent.geyer — Tue, 15 May 2007 15:14:17 GMT

The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.

The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.

This would make the PIX/ASA access-list entry following:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80

Re: IOS to ASA ACL conversion

neospitz — Tue, 15 May 2007 20:21:49 GMT

Hi Laurent,

My situation is that I am migrating router ACL to ASA/PIX ACL, where wildcard mask 0.3.255.31 is completely valid under router ACL command syntex. Any IOS after 11.0 should be able to read this wildcard mask.

I know I need to use "Subnet Mask" in PIX/ASA and this is where my question comes from. With ASA, if I use your ACL command:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80

I need to set up as:

permit tcp any 172.16.0.64 255.255.255.224 eq 80

permit tcp any 172.16.1.64 255.255.255.224 eq 80

permit tcp any 172.16.2.64 255.255.255.224 eq 80

all the way to:

permit tcp any 172.19.255.64 255.255.255.224 eq 80

Whereas currently using router, one line kills them all:

permit tcp any 172.16.0.64 0.3.255.31 eq 80

I was thinking rather than specifying all 1024 network, or create them under object group, is there any simpler way to migrate this router ACL to ASA? I would think PIX/ASA are designed for traffic filtering and there must be a way to match router wildcard mask.

Cheers

IOS to ASA ACL conversion

Kristian Alexander Brown — Tue, 21 May 2013 09:50:51 GMT

laurent.geyer wrote:

The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.

The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.

This would make the PIX/ASA access-list entry following:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80

It IS an invalid netmask, but it is valid as a wildcard mask. Wildcard masks does not have to be

contiguous. For example, 172.16.32.64 0.3.255.31 will match 172.[16-19].[0-255].[64-95] with 1 single line.

Hi Neospitz Did you able to

kthned — Tue, 24 Feb 2015 10:57:41 GMT

Hi Neospitz

Did you able to get the answer, I am also stuck into the similar situation where we have hundreds of router ACL with wildcard masks and I need to convert them to ASA subnet mask.

permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22

I receive following error.

ERROR: IP address,mask <172.25.192.0,0.0.224.255> doesn't pair

A good text editor (I use

Collin Clark — Tue, 24 Feb 2015 13:06:54 GMT

A good text editor (I use Ultra Edit) and regular expressions and this can be converted in a snap.

Thanks Collin for you reply.

kthned — Tue, 24 Feb 2015 13:20:30 GMT

Thanks Collin for you reply. I am wondering how to make the wild card mask to netmask using text editor. I understand the theory would be to subtract from 255.255.255.255 but question is how can i do it from a text editor. Lets say I have follwing 5 lines which need to convert to ASA format.

permit ip 172.24.16.0 0.7.225.255 any
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq www
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 443
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 5900

Search and replace should

Collin Clark — Tue, 24 Feb 2015 14:50:59 GMT

Search and replace should work too.

Find 0.7.255.255 and replace with 255.248.0.0

Wow, I cannot believe this

neospitz — Mon, 09 Mar 2015 22:01:23 GMT

Wow, I cannot believe this thread is still alive.

@syedumairali, no unfortunately I do not belive ASA support non-continuous subnets defined by IOS wildcard masks.

I ended up using spreadsheet to build a list of network that confirms to the IOS wildcard mask, and then format them into ASA commands.

Thanks everyone for the contribution to this thread.