cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
4
Replies

ACL on variable-length subnets not working in PIX 506

Devildoc007
Level 4
Level 4

Hello,

Can anyone tell me why my access lists for the variable-length subnets are not working in PIX 506 ver 6.3(3)?

I have created an access list to provide access to the internet from certain subnets in my networks and applied them to the internal interface, but they are not working.

Here is the my access list for some variable-length subnets:

access-list 105 permit ip 172.18.1.8 255.255.255.248 any

access-list 105 permit ip 172.18.1.24 255.255.255.248 any

access-list 105 permit ip 172.18.1.96 255.255.255.248 any

access-group 105 in interface inside

However, if my variable-length subnet starts with 0, then the ACL works. For example:

access-list 105 permit ip 172.18.1.0 255.255.255.248 any

or

access-list 105 permit ip 172.18.1.0 255.255.255.128 any

It doesn't matter what the subnet bits are, if the network starts with 0, then the ACL works. If the network starts with a non-zero number, then the ACL does not work.

Is this issue a bug or a feature that i don't know of?

So please, any info is greatly appreciated. Thanks.

JD

4 Replies 4

michelcaissie
Level 1
Level 1

Does

access-list 105 permit ip 172.18.1.128 255.255.255.128 any

works ?

I have subnets begining with .128 and it works fine for me ( 6.3(3) also )

I don't know. I haven't tried that one yet. If it did, then why wouldn't it work with other subnets? Any ideas???

JD

JD,

There are no reasons why this wouldn't work. I just tried it on a PIX-506E, basic config, added a host on the inside with an IP of 172.18.1.25 and then did:

access-list 105 permit ip 172.18.1.8 255.255.255.248 any

access-group 105 in interface outside

And it worked. I had the "deny by access-group 105" error message on my console logging. So, I don't see why this is not working for you, when it should! BTW, what do you mean by "not working"? Does it allows or not the traffic to go through (from the permited IPs)? Does if block the not allowed traffic? If you turn console debugging, as I did, what would you see?

logging on

logging console debugging

Let us know...

Federico Rodriguez

By "not working" i mean traffics are not allowed. I didn't turn on the logging so i didn't know exactly what the message was. I'll try it out this friday and see. When i applied an ACL on a non-zero variable-length subnet, i can't get out on the Internet. I looked up the xlate table and saw that my ip address was NATted but no web pages were seen. When i removed the non-zero variable-length subnet and applied my ACL to a variable-length subnet that starts with a zero, then i could go out to the Internet. So i don't know what's going on.

I'll try to turn on logging this friday and see what kind of message will i get. I'll keep you posted. Thanks.

JD

Review Cisco Networking for a $25 gift card