04-04-2005 04:26 PM - edited 02-21-2020 12:03 AM
Hello,
Can anyone tell me why my access lists for the variable-length subnets are not working in PIX 506 ver 6.3(3)?
I have created an access list to provide access to the internet from certain subnets in my networks and applied them to the internal interface, but they are not working.
Here is the my access list for some variable-length subnets:
access-list 105 permit ip 172.18.1.8 255.255.255.248 any
access-list 105 permit ip 172.18.1.24 255.255.255.248 any
access-list 105 permit ip 172.18.1.96 255.255.255.248 any
access-group 105 in interface inside
However, if my variable-length subnet starts with 0, then the ACL works. For example:
access-list 105 permit ip 172.18.1.0 255.255.255.248 any
or
access-list 105 permit ip 172.18.1.0 255.255.255.128 any
It doesn't matter what the subnet bits are, if the network starts with 0, then the ACL works. If the network starts with a non-zero number, then the ACL does not work.
Is this issue a bug or a feature that i don't know of?
So please, any info is greatly appreciated. Thanks.
JD
04-05-2005 08:22 AM
Does
access-list 105 permit ip 172.18.1.128 255.255.255.128 any
works ?
I have subnets begining with .128 and it works fine for me ( 6.3(3) also )
04-05-2005 04:50 PM
I don't know. I haven't tried that one yet. If it did, then why wouldn't it work with other subnets? Any ideas???
JD
04-05-2005 05:51 PM
JD,
There are no reasons why this wouldn't work. I just tried it on a PIX-506E, basic config, added a host on the inside with an IP of 172.18.1.25 and then did:
access-list 105 permit ip 172.18.1.8 255.255.255.248 any
access-group 105 in interface outside
And it worked. I had the "deny by access-group 105" error message on my console logging. So, I don't see why this is not working for you, when it should! BTW, what do you mean by "not working"? Does it allows or not the traffic to go through (from the permited IPs)? Does if block the not allowed traffic? If you turn console debugging, as I did, what would you see?
logging on
logging console debugging
Let us know...
Federico Rodriguez
04-06-2005 03:57 PM
By "not working" i mean traffics are not allowed. I didn't turn on the logging so i didn't know exactly what the message was. I'll try it out this friday and see. When i applied an ACL on a non-zero variable-length subnet, i can't get out on the Internet. I looked up the xlate table and saw that my ip address was NATted but no web pages were seen. When i removed the non-zero variable-length subnet and applied my ACL to a variable-length subnet that starts with a zero, then i could go out to the Internet. So i don't know what's going on.
I'll try to turn on logging this friday and see what kind of message will i get. I'll keep you posted. Thanks.
JD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide