11-10-2010 11:51 AM - edited 03-11-2019 12:07 PM
Hello,
Can someone tell me if there is a shorter solution to convert those lines in a router ACL to my rule base in ASA / CSM ?
...
...
access-list 109 deny ip 10.0.0.0 0.15.56.127 10.4.8.0 0.0.0.255 |
access-list 109 permit ip 10.0.0.0 0.15.56.127 any |
...
...
Thanks,
Dave
Solved! Go to Solution.
11-10-2010 12:01 PM
Hi,
You are using a wildcard mask to define a weird group of addresses.
access-list 109 deny ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0
access-list 109 permit ip 10.0.0.0 0.15.56.127 any
The ASA won't support wildcards and only support subnet masks.
So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.
Just out of curiosity... what is the purpose of the above ACL in your router?
Federico.
11-10-2010 12:01 PM
Hi,
You are using a wildcard mask to define a weird group of addresses.
access-list 109 deny ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0
access-list 109 permit ip 10.0.0.0 0.15.56.127 any
The ASA won't support wildcards and only support subnet masks.
So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.
Just out of curiosity... what is the purpose of the above ACL in your router?
Federico.
11-10-2010 12:16 PM
Thanks for the response, even if I kind of knew the answer... I was wondering if someone came with a solution.
Those wierd wildcards are meant for special ranges of IP to access another range of ip.
Instead of repeting lines for nothing and since the environment (subnet) is defined like that in every other subnets, they implemented bizarre wildcards like that. In one line, I can include every other lines, see the following...
deny 10.1.8.0 - 127 10.4.8.0 255.255.255.0 (range of IP)
permit 10.1.8.0 - 127 10.4.8.0 255.255.248.0 (complete subnet)
deny 10.1.16.0 - 127 10.4.8.0 255.255.255.0
permit 10.1.16.0 - 127 10.4.8.0 255.255.248.0
deny 10.1.24.0 - 127 10.4.8.0 255.255.255.0
permit 10.1.24.0 - 127 10.4.8.0 255.255.248.0
...
...
...
deny 10.15.248.0 - 127 10.4.8.0 255.255.255.0
permit 10.15.248.0 - 127 10.4.8.0 255.255.248.0
Best regards,
Dave
11-10-2010 12:39 PM
There's no way to use wildcard masks in ASAs.
I guess one option would be to create object-groups.
You can group networks in one object (and have several objects), and then reference the permit/deny statements between objects.
This will simplify the configuration.
Federico.
11-10-2010 12:45 PM
Hello again,
Yep, I know... but it's going to be a pain to implement...
Best regards,
Dave
11-10-2010 12:49 PM
I guess it's not as nice as just converting the commands to the ASA... but the nice part is that once you created the object-groups you can manage the subnets just as you did with the routers.
I mean... just reference to the entire object-group (instead than to the wildcard statements in the ACL).
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide