topic Re: IP Ranges on ASA in Network Security

IP Ranges on ASA

dean.x.murray — Mon, 11 Mar 2019 08:56:39 GMT

A simple question as I cannot seem to find a why to do it on our ASA.

How do you specify a range of addresses that are not summarizable?

For example if I wanted to create an ACL that allows access from hosts 192.168.200.50 through to 192.168.200.239 to the internet, how would I configure these hosts on the ASA?.

Dean

Re: IP Ranges on ASA

mgaysek — Wed, 15 Nov 2006 20:09:27 GMT

You could use an object group.

See this link. http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1648552

With in the object group you can specify hosts or ranges defined by subnet masks. You will need to do both.

HTH

Re: IP Ranges on ASA

a.kiprawih — Wed, 15 Nov 2006 20:44:25 GMT

PIX/ASA provides the object-group to allow you to group host/subnets/services/icmp in a common or specific group, and have a simple one or two lines of ACL to allow the access. This saves your time in defining hundreds of ACL line/entry.

object-group network INTERNET_ACCESS

network-object host 192.168.200.50

network-object host 192.168.200.51

network-object host 192.168.200.52

network-object host 192.168.200.239

object-group service INTERNET_TCP_PORTS tcp

port-object eq www

port-object eq https

object-group service INTERNET_UDP_PORTS udp

port-object eq domain

access-list inside permit tcp object-group INTERNET_ACCESS any object-group INTERNET_TCP_PORTS

access-list inside permit udp object-group INTERNET_ACCESS any object-group INTERNET_UDP_PORTS

access-group inside in interface inside

HTH

Re: IP Ranges on ASA

dean.x.murray — Tue, 21 Nov 2006 13:39:19 GMT

Just as I thought you cannot easily add a range, so you have to add all addresses or a mixture of summarised and individual addresses.

so there is no command like this

object-group network Internet_Access

network-object range 192.168.1.1-192.168.1.221

Seems an odd ommission.

Thanks for the confirmation.

Dean

Re: IP Ranges on ASA

a.kiprawih — Wed, 22 Nov 2006 07:22:24 GMT

Yes, no option for 'range' under object-group for host. The option only allows you to specify individual host or network/subnet ID.

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1647583

HTH

Re: IP Ranges on ASA

dflick — Wed, 22 Nov 2006 21:00:10 GMT

You can sort of create a range by using several masks:

192.168.200.50...51....52 and so on to 55

192.168.200.56 255.255.255.248

192.168.200.64 255.255.255.192

192.168.200.128 255.255.255.192

192.168.200.192 255.255.255.224

192.168.200.224 255.255.255.240

ugly but it works

Re: IP Ranges on ASA

a.kiprawih — Wed, 22 Nov 2006 23:12:06 GMT

But what happened if the IP happened to be the subnet or broadcast ID - currently being used by a host/wks.

I am sure it will conflict or could create a problem:

List/range of host IPs: 192.168.200.50 to 192.168.200.239

Example:

192.168.200.56 255.255.255.248

Subnet ID: 192.168.200.56 ---> this IP is needed/used for host

Usable range: 192.168.200.57 to 192.168.200.62

Broadcast ID: 192.168.200.63 ---> this IP is needed/used for host

Same with the rest.

Just a thought.

HTH

Re: IP Ranges on ASA

dflick — Mon, 27 Nov 2006 01:28:43 GMT

Since you are using these for an ACL, it makes absolutely no difference if it is a broadcast address. The masks work for the same reason that the 255.255.255.254 masks work.

Re: IP Ranges on ASA

Fernando_Meza — Mon, 27 Nov 2006 02:12:29 GMT

Mm .. what about a packet been addressed to the broadcast IP address of one of the ranges ( which is actually used by a host ).. which might be considered by the firewall as a broadcast and hence be droped .. just another thought ..