topic ASA accepts non existing subnetmask in ACL in Network Security

ASA accepts non existing subnetmask in ACL

Niels van der Made — Mon, 11 Mar 2019 23:19:48 GMT

Hi all,

I'm configuring a l2l tunnel.

While configuring the crypo acl I noticed that my ASA was accepting subnetmasks like 255.255.255.1 (wich does not exist to my knowledge).

I then tried some other masks, and to my surprise it accepted almost everyting?!

access-list outside_cryptomap_30 extended permit ip 192.168.1.0 255.255.255.8 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.255.15 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.3.0 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.5.5 any

access-list outside_cryptomap_30 extended permit ip 192.0.0.0 255.8.4.6 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.9.4 any

access-list outside_cryptomap_30 extended permit ip 192.0.0.0 255.45.9.4 any

Finally while configuring absolute bs I received some errors

fw2(config)# access-list outside_cryptomap_30 permit ip 192.168$

ERROR: IP address,mask <192.168.0.0,255.5.5.5> doesn't pair

fw2/vander-made.nl(config)# access-list outside_cryptomap_30 extended permit i$

ERROR: IP address,mask <192.168.0.0,255.2.9.4> doesn't pair

Does anyone have any idea why you configure these kind of subnetmasks? I mean it's nowhere near a valid subnetmask/wildcardmask right ?

Of cours on interface config it won't accept anything of the above.

I've tried it in both 8.2.x and 8.4.x software.

Looking forward to a reply.

Kind regards.

Niels.

ASA accepts non existing subnetmask in ACL

Jennifer Halim — Fri, 15 Jun 2012 13:29:37 GMT

Yes, those are incorrect mask, and ASA does not check whether the subnet mask has been correctly configured or not. It is simply just a user misconfiguration if incorrect mask has been entered.

Re: ASA accepts non existing subnetmask in ACL

Karsten Iwen — Tue, 19 Jun 2012 00:26:01 GMT

Hi,

the subnet-masks you are talking about are no subnet-masks. They are just masks. Sounds strange?

Here an example:

You have 200 Branch-Offices 10.10.x.0/24

You know that in these branches, the local FTP-server has always the IP .21.

To allow the access to all these servers you could add 200 ACEs to your ACL (with or without object-groups):

access-list INSIDE-IN permit tcp .... host 10.10.1.21 eq 21

access-list INSIDE-IN permit tcp .... host 10.10.2.21 eq 21

access-list INSIDE-IN permit tcp .... host 10.10.3.21 eq 21

...

access-list INSIDE-IN permit tcp .... host 10.10.200.21 eq 21

Instead of this you could use the following one line:

access-list INSIDE-IN permit tcp .... 10.10.0.21 255.255.0.255 eq 21

With this "strange" mask you tell your ASA that the first, second and forth Octet should be matched, but in the third octed any number is allowed (0-255).

So there is a usecase for this masks. Personally I would not recommend using them as the ASDM can not display them correctly. But they still work.

HTH, Karsten

Sent from Cisco Technical Support iPad App