Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
5
Helpful
2
Replies

ASA accepts non existing subnetmask in ACL

Niels van der Made
Level 1
Level 1

‎06-15-2012 06:16 AM - edited ‎03-11-2019 04:19 PM

Hi all,

I'm configuring a l2l tunnel.

While configuring the crypo acl I noticed that my ASA was accepting subnetmasks like 255.255.255.1 (wich does not exist to my knowledge).

I then tried some other masks, and to my surprise it accepted almost everyting?!

access-list outside_cryptomap_30 extended permit ip 192.168.1.0 255.255.255.8 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.255.15 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.3.0 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.5.5 any

access-list outside_cryptomap_30 extended permit ip 192.0.0.0 255.8.4.6 any

access-list outside_cryptomap_30 extended permit ip 192.168.0.0 255.255.9.4 any

access-list outside_cryptomap_30 extended permit ip 192.0.0.0 255.45.9.4 any

:S

Finally while configuring absolute bs I received some errors

fw2(config)# access-list outside_cryptomap_30 permit ip 192.168$

ERROR: IP address,mask <192.168.0.0,255.5.5.5> doesn't pair

fw2/vander-made.nl(config)# access-list outside_cryptomap_30 extended permit i$

ERROR: IP address,mask <192.168.0.0,255.2.9.4> doesn't pair

Does anyone have any idea why you configure these kind of subnetmasks? I mean it's nowhere near a valid subnetmask/wildcardmask right ?

Of cours on interface config it won't accept anything of the above.

I've tried it in both 8.2.x and 8.4.x software.

Looking forward to a reply.

Kind regards.

Niels.

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-15-2012 06:29 AM

Yes, those are incorrect mask, and ASA does not check whether the subnet mask has been correctly configured or not. It is simply just a user misconfiguration if incorrect mask has been entered.

0 Helpful

Karsten Iwen
VIP
VIP

‎06-18-2012 05:26 PM

Hi,

the subnet-masks you are talking about are no subnet-masks. They are just masks. Sounds strange?

Here an example:

You have 200 Branch-Offices 10.10.x.0/24

You know that in these branches, the local FTP-server has always the IP .21.

To allow the access to all these servers you could add 200 ACEs to your ACL (with or without object-groups):

access-list INSIDE-IN permit tcp .... host 10.10.1.21 eq 21

access-list INSIDE-IN permit tcp .... host 10.10.2.21 eq 21

access-list INSIDE-IN permit tcp .... host 10.10.3.21 eq 21

...

access-list INSIDE-IN permit tcp .... host 10.10.200.21 eq 21

Instead of this you could use the following one line:

access-list INSIDE-IN permit tcp .... 10.10.0.21 255.255.0.255 eq 21

With this "strange" mask you tell your ASA that the first, second and forth Octet should be matched, but in the third octed any number is allowed (0-255).

So there is a usecase for this masks. Personally I would not recommend using them as the ASDM can not display them correctly. But they still work.

HTH, Karsten

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card