topic Hi,It would not be possible in Network Security

Discontiguous subnet mask - FWSM

Little Bunny — Tue, 12 Mar 2019 04:53:04 GMT

Hello

I would like to permit only a few IP addresses from various subnets through an fwsm, is there a way to summarize this in order to reduce the number of ACL rules? We have over 200 subnets all starting 10.10.<building>.0/24. I would like to only permit IPs 10.10.x.248 and above from each building. Do FWSMs allow discontiguous masks? For example, could I add a rule 10.10.0.248 / 255.255.0.248? I tried the config via ASDM and it took it but changed the format to 10.10.0.248/29 so I'm not sure whether it will allow any value in the third octet.

Thanks

Amy

Hi,It would not be possible

Vibhor Amrodia — Thu, 09 Oct 2014 05:50:59 GMT

Hi,

It would not be possible.

You would have to create separate ACE for each Subnet range.

Thanks and Regards,

Vibhor Amrodia

Hi VibhorThanks for the

Little Bunny — Thu, 09 Oct 2014 16:35:31 GMT

Hi Vibhor

Thanks for the feedback. I just looked at the config via the CLI and this is the entry for the ACL:

access-list FWGLUE_access_in extended permit ip host 197.42.33.49 10.10.0.248 255.255.0.248

It looks like it took the original configuration I entered, are you sure it won't work?

Thanks

Amy

Hi Amy,Thank you for your

Vibhor Amrodia — Fri, 10 Oct 2014 03:13:44 GMT

Hi Amy,

Thank you for your reply. I tested it and it seems to be working for me.

Can you try this ACL and let me know if you face any issues.

Thanks and Regards,

Vibhor Amrodia

Thanks Vibhor, that sounds

Little Bunny — Fri, 10 Oct 2014 04:14:57 GMT

Thanks Vibhor, that sounds promising! I will test this out too asap 🙂