Re: Block the Internet

MpacanaJr_2 · ‎06-02-2011

Hi,

For phasing out a certain port - 143 - we decide to block the whole internet part by part as to effect a few customers at a time.
How can I break the Internet IPs into like 5-6 parts and deny each at a time?

Thanks,
John,

Shrikant Sundaresh · ‎06-02-2011

Hi John,

You can try supernetting on class A addresses. Depending on the mask you choose, you can get either 4 or 8 parts of the entire ip range.

By using a 2 bit mask, ie (192.0.0.0) you would get 4 parts:

0.0.0.0 - 63.255.255.255

64.0.0.0 - 127.255.255.255

128.0.0.0 - 191.255.255.255

192.0.0.0 - 255.255.255.255

By using a 3 bit mask, ie (224.0.0.0) you would get 8 parts:

0.0.0.0 - 31.255.255.255

32.0.0.0 - 63.255.255.255

64.0.0.0 - 95.255.255.255

96.0.0.0 - 127.255.255.255

128.0.0.0 - 159.255.255.255

160.0.0.0 - 191.255.255.255

192.0.0.0 - 223.255.255.255

224.0.0.0 - 255.255.255.255 //This includes multicast(class D) and experimental(class E) ranges, and can probably be skipped.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

MpacanaJr_2 · ‎06-03-2011

Hi Shrikant,

Thank you for your reply. I appreciate it.

in this ex.

By using a 2 bit mask, ie (192.0.0.0) you would get 4 parts:

0.0.0.0 - 63.255.255.255

64.0.0.0 - 127.255.255.255

128.0.0.0 - 191.255.255.255

192.0.0.0 - 255.255.255.255

So in an ASA 5510 ACL block this subnets?:

0.0.0.0 192.0.0.0
64.0.0.0 192.0.0.0
128.0.0.0 192.0.0.0
192.0.0.0 192.0.0.0

John

###

Can you comment on the below suggestions, if it makes sense or not.

Called support twice:

One cisco tech suggested:

access-l outside_access_in deny tcp 0.0.0.0 64.0.0.0 any eq 143 # CLI accepts but asdm does not.
it becomes 0.0.0.0.0/64.0.0.0 network as seen in ASDM ACL rules list.

access-l outside_access_in deny tcp 65.0.0.0 128.0.0.0 any eq 143 #error: does not pair
access-l outisde_access_in deny tcp 129.0.0.0 255.0.0.0 any eq 143 # no effect/change on the ACL list
access-l outside_access_in deny tcp 0.0.0.0 128.0.0.0 any eq 143 # 0.0.0.0/1 *works
access-l outside_access_in deny tcp 128.0.0.0 128.0.0.0 any eq 143 # 128.0.0.0/1 *works

Another cisco tech suggested this ranges:

0.0.0.0 32.0.0.0
32.0.0.0 32.0.0.0
64.0.0.0 224.0.0.0 --this will include 64-95 range
96.0.0.0 240.0.0.0 --this includes 96-111 fine ?
112.0.0.0 248.0.0.0
120.0.0.0 248.0.0.0
120.0.0.0 252.0.0.0
124.0.0.0 254.0.0.0.
126.0.0.0 255.0.0.0.
128.0.0.0 224.0.0.0

160.0.0.0 248.0.0.0
168.0.0.0 252.0.0.0
172.0.0.0. 255.240.0.0
172.32.0.0 255.224.0.0
172.64.0.0 255.192.0.0
172.128.0.0 255.128.0.0
173.0.0.0 255.0.0.0
174.0.0.0 254.0.0.0
182.0.0.0 254.0.0.0
184.0.0.0 254.0.0.0
188.0.0.0 252.0.0.0
192.0.0.0 255.128.0.0
192.128.0.0 255.224.0.0
192.169.0.0 255.255.0.0
192.170.0.0 255.254.0.0
192.172.0.0 255.252..0
192.176.0.0 255.240.0.0
192.192.0.0 255.192.0.0
193.0.0.0 255.0.0.0
194.0.0.0 254.0.0.0
196.0.0.0 252.0.0.0
200.0.0.0 248.0.0.0
208.0.0.0 240.0.0.