06-02-2011 06:14 PM - edited 03-11-2019 01:42 PM
Hi,
For phasing out a certain port - 143 - we decide to block the whole internet part by part as to effect a few customers at a time.
How can I break the Internet IPs into like 5-6 parts and deny each at a time?
Thanks,
John,
06-02-2011 11:12 PM
Hi John,
You can try supernetting on class A addresses. Depending on the mask you choose, you can get either 4 or 8 parts of the entire ip range.
By using a 2 bit mask, ie (192.0.0.0) you would get 4 parts:
0.0.0.0 - 63.255.255.255
64.0.0.0 - 127.255.255.255
128.0.0.0 - 191.255.255.255
192.0.0.0 - 255.255.255.255
By using a 3 bit mask, ie (224.0.0.0) you would get 8 parts:
0.0.0.0 - 31.255.255.255
32.0.0.0 - 63.255.255.255
64.0.0.0 - 95.255.255.255
96.0.0.0 - 127.255.255.255
128.0.0.0 - 159.255.255.255
160.0.0.0 - 191.255.255.255
192.0.0.0 - 223.255.255.255
224.0.0.0 - 255.255.255.255 //This includes multicast(class D) and experimental(class E) ranges, and can probably be skipped.
Hope this helps.
-Shrikant
P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.
06-03-2011 11:58 AM
Hi Shrikant,
Thank you for your reply. I appreciate it.
in this ex.
By using a 2 bit mask, ie (192.0.0.0) you would get 4 parts:
0.0.0.0 - 63.255.255.255
64.0.0.0 - 127.255.255.255
128.0.0.0 - 191.255.255.255
192.0.0.0 - 255.255.255.255
So in an ASA 5510 ACL block this subnets?:
0.0.0.0 192.0.0.0
64.0.0.0 192.0.0.0
128.0.0.0 192.0.0.0
192.0.0.0 192.0.0.0
John
###
Can you comment on the below suggestions, if it makes sense or not.
Called support twice:
One cisco tech suggested:
access-l outside_access_in deny tcp 0.0.0.0 64.0.0.0 any eq 143 # CLI accepts but asdm does not.
it becomes 0.0.0.0.0/64.0.0.0 network as seen in ASDM ACL rules list.
access-l outside_access_in deny tcp 65.0.0.0 128.0.0.0 any eq 143 #error: does not pair
access-l outisde_access_in deny tcp 129.0.0.0 255.0.0.0 any eq 143 # no effect/change on the ACL list
access-l outside_access_in deny tcp 0.0.0.0 128.0.0.0 any eq 143 # 0.0.0.0/1 *works
access-l outside_access_in deny tcp 128.0.0.0 128.0.0.0 any eq 143 # 128.0.0.0/1 *works
Another cisco tech suggested this ranges:
0.0.0.0 32.0.0.0
32.0.0.0 32.0.0.0
64.0.0.0 224.0.0.0 --this will include 64-95 range
96.0.0.0 240.0.0.0 --this includes 96-111 fine ?
112.0.0.0 248.0.0.0
120.0.0.0 248.0.0.0
120.0.0.0 252.0.0.0
124.0.0.0 254.0.0.0.
126.0.0.0 255.0.0.0.
128.0.0.0 224.0.0.0
160.0.0.0 248.0.0.0
168.0.0.0 252.0.0.0
172.0.0.0. 255.240.0.0
172.32.0.0 255.224.0.0
172.64.0.0 255.192.0.0
172.128.0.0 255.128.0.0
173.0.0.0 255.0.0.0
174.0.0.0 254.0.0.0
182.0.0.0 254.0.0.0
184.0.0.0 254.0.0.0
188.0.0.0 252.0.0.0
192.0.0.0 255.128.0.0
192.128.0.0 255.224.0.0
192.169.0.0 255.255.0.0
192.170.0.0 255.254.0.0
192.172.0.0 255.252..0
192.176.0.0 255.240.0.0
192.192.0.0 255.192.0.0
193.0.0.0 255.0.0.0
194.0.0.0 254.0.0.0
196.0.0.0 252.0.0.0
200.0.0.0 248.0.0.0
208.0.0.0 240.0.0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide