topic Yes, if that line is at the in Network Security

allow single /32 out of /8 on a cisco context firewall

scotteberl — Tue, 12 Mar 2019 04:39:13 GMT

wondering if anyone has any tricks to allow a single /32 out of a /8 on a cisco non-asa firewall

the network is 121.0.0.0/8 and I want to only allow 121.240.128.58/32

This is pretty messy with multiple lines of summery routes, is there an easier way?

Can you explain a little more

Karsten Iwen — Tue, 19 Aug 2014 15:34:16 GMT

With "non-asa", are you talking about IOS-router? Can you explain a little more detailed what you want to achieve? Just by reading your post it sounds like a simple two/three-line ACL. But probably you want to achieve something different?

ip access-list ext TEST

permit ip host 121.240.128.58 any

deny ip 121.0.0.0 0.255.255.255 any

permit ip any any

This wouldn't be an access

scotteberl — Tue, 19 Aug 2014 15:34:17 GMT

This wouldn't be an access-list but an access-group applied to an interface on a cisco firewall context. So we have a customer who has an entire /8 blocked from attack but wants one ip out of that /8 allowed.

Thats pretty much what the

Karsten Iwen — Tue, 19 Aug 2014 15:43:10 GMT

Thats pretty much what the above ACL does, it allows that single IP, denies the /8 and allows the rest. And yes, such ACL has to be applied to an interface with an access-group-command.

Problem with that is there

scotteberl — Tue, 19 Aug 2014 16:21:54 GMT

Problem with that is there are other rules that the host must match against. If I just allow the host in the beginning it will bypass all other rules won't it.

Yes, if that line is at the

Karsten Iwen — Tue, 19 Aug 2014 17:11:41 GMT

Yes, if that line is at the beginning it will match regardless what comes later. If you need more control then the way to achieve it is the same. allow the most specific, then deny the next less specific. Then allow again the next less specific and so on and so on ...