08-19-2014 07:51 AM - edited 03-11-2019 09:39 PM
wondering if anyone has any tricks to allow a single /32 out of a /8 on a cisco non-asa firewall
the network is 121.0.0.0/8 and I want to only allow 121.240.128.58/32
This is pretty messy with multiple lines of summery routes, is there an easier way?
08-19-2014 08:34 AM
With "non-asa", are you talking about IOS-router? Can you explain a little more detailed what you want to achieve? Just by reading your post it sounds like a simple two/three-line ACL. But probably you want to achieve something different?
ip access-list ext TEST
permit ip host 121.240.128.58 any
deny ip 121.0.0.0 0.255.255.255 any
permit ip any any
08-19-2014 08:34 AM
This wouldn't be an access-list but an access-group applied to an interface on a cisco firewall context. So we have a customer who has an entire /8 blocked from attack but wants one ip out of that /8 allowed.
08-19-2014 08:43 AM
Thats pretty much what the above ACL does, it allows that single IP, denies the /8 and allows the rest. And yes, such ACL has to be applied to an interface with an access-group-command.
08-19-2014 09:21 AM
Problem with that is there are other rules that the host must match against. If I just allow the host in the beginning it will bypass all other rules won't it.
08-19-2014 10:11 AM
Yes, if that line is at the beginning it will match regardless what comes later. If you need more control then the way to achieve it is the same. allow the most specific, then deny the next less specific. Then allow again the next less specific and so on and so on ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide