https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562156#M745261 <HTML><HEAD></HEAD><BODY><P>I guess it's not as nice as just converting the commands to the ASA... but the nice part is that once you created the object-groups you can manage the subnets just as you did with the routers. </P><P></P><P>I mean... just reference to the entire object-group (instead than to the wildcard statements in the ACL).</P><P></P><P>Federico.</P></BODY></HTML> Wed, 10 Nov 2010 20:49:15 GMT Federico Coto Fajardo 2010-11-10T20:49:15Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562151#M745247 <P>Hello,</P><P></P><P>Can someone tell me if there is a shorter solution to convert those lines in a router ACL to my rule base in ASA / CSM ?</P><P></P><P>...</P><P>...</P><P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 349pt; border-collapse: collapse;" width="465"><COLGROUP span="1"><COL span="1" style="width: 349pt; mso-width-source: userset; mso-width-alt: 17005;" width="465" /></COLGROUP><TBODY><TR style="height: 12.75pt;"><TD class="xl24" height="17" style="background-color: transparent; width: 349pt; height: 12.75pt; border: windowtext;" width="465">access-list 109 deny<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp; </SPAN>ip 10.0.0.0 0.15.56.127 10.4.8.0 0.0.0.255</TD></TR><TR style="height: 12.75pt;"><TD height="17" style="background-color: transparent; height: 12.75pt; border: windowtext;">access-list 109 permit ip 10.0.0.0 0.15.56.127 any</TD></TR></TBODY></TABLE></P><P>...</P><P>...</P><P></P><P>Thanks,</P><P></P><P>Dave</P> Mon, 11 Mar 2019 19:07:31 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562151#M745247 Dave Tremblay 2019-03-11T19:07:31Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562152#M745248 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You are using a wildcard mask to define a weird group of addresses.</P><P></P><P>access-list 109 deny<SPAN>&nbsp;&nbsp; </SPAN>ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0</P><P>access-list 109 permit ip 10.0.0.0 0.15.56.127 any</P><P></P><P>The ASA won't support wildcards and only support subnet masks.</P><P>So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.</P><P></P><P>Just out of curiosity... what is the purpose of the above ACL in your router?</P><P></P><P>Federico.</P></BODY></HTML> Wed, 10 Nov 2010 20:01:03 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562152#M745248 Federico Coto Fajardo 2010-11-10T20:01:03Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562153#M745249 <HTML><HEAD></HEAD><BODY><P>Thanks for the response, even if I kind of knew the answer... I was wondering if someone came with a solution.</P><P></P><P>Those wierd wildcards are meant for special ranges of IP to access another range of ip.</P><P></P><P>Instead of repeting lines for nothing and since the environment (subnet) is defined like that in every other subnets, they implemented bizarre wildcards like that. In one line, I can include every other lines, see the following...</P><P></P><P>deny 10.1.8.0 - 127&nbsp;&nbsp;&nbsp; 10.4.8.0 255.255.255.0&nbsp; (range of IP)</P><P>permit 10.1.8.0 - 127&nbsp; 10.4.8.0 255.255.248.0 (complete subnet)</P><P></P><P>deny 10.1.16.0 - 127&nbsp;&nbsp;&nbsp; 10.4.8.0 255.255.255.0</P><P>permit 10.1.16.0 - 127&nbsp; 10.4.8.0 255.255.248.0</P><P></P><P>deny 10.1.24.0 - 127&nbsp;&nbsp;&nbsp; 10.4.8.0 255.255.255.0</P><P>permit 10.1.24.0 - 127&nbsp; 10.4.8.0 255.255.248.0</P><P>...</P><P>...</P><P>...</P><P>deny 10.15.248.0 - 127&nbsp;&nbsp;&nbsp; 10.4.8.0 255.255.255.0</P><P>permit 10.15.248.0 - 127&nbsp; 10.4.8.0 255.255.248.0</P><P></P><P></P><P>Best regards,</P><P></P><P></P><P>Dave</P></BODY></HTML> Wed, 10 Nov 2010 20:16:33 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562153#M745249 Dave Tremblay 2010-11-10T20:16:33Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562154#M745250 <HTML><HEAD></HEAD><BODY><P>There's no way to use wildcard masks in ASAs.</P><P>I guess one option would be to create object-groups.</P><P></P><P>You can group networks in one object (and have several objects), and then reference the permit/deny statements between objects.</P><P></P><P>This will simplify the configuration.</P><P></P><P>Federico.</P></BODY></HTML> Wed, 10 Nov 2010 20:39:58 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562154#M745250 Federico Coto Fajardo 2010-11-10T20:39:58Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562155#M745253 <HTML><HEAD></HEAD><BODY><P>Hello again,</P><P></P><P>Yep, I know... but it's going to be a pain to implement...</P><P></P><P>Best regards,</P><P></P><P>Dave</P></BODY></HTML> Wed, 10 Nov 2010 20:45:08 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562155#M745253 Dave Tremblay 2010-11-10T20:45:08Z https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562156#M745261 <HTML><HEAD></HEAD><BODY><P>I guess it's not as nice as just converting the commands to the ASA... but the nice part is that once you created the object-groups you can manage the subnets just as you did with the routers. </P><P></P><P>I mean... just reference to the entire object-group (instead than to the wildcard statements in the ACL).</P><P></P><P>Federico.</P></BODY></HTML> Wed, 10 Nov 2010 20:49:15 GMT https://community.cisco.com/t5/network-security/convert-a-strange-acl-line-to-a-rule-in-asa/m-p/1562156#M745261 Federico Coto Fajardo 2010-11-10T20:49:15Z