cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1103
Views
0
Helpful
5
Replies

Convert a strange ACL line to a rule in ASA

Dave Tremblay
Level 1
Level 1

Hello,

Can someone tell me if there is a shorter solution to convert those lines in a router ACL to my rule base in ASA / CSM ?

...

...

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 0.0.0.255
access-list 109 permit ip 10.0.0.0 0.15.56.127 any

...

...

Thanks,

Dave

1 Accepted Solution

Accepted Solutions

Hi,

You are using a wildcard mask to define a weird group of addresses.

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0

access-list 109 permit ip 10.0.0.0 0.15.56.127 any

The ASA won't support wildcards and only support subnet masks.

So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.

Just out of curiosity... what is the purpose of the above ACL in your router?

Federico.

View solution in original post

5 Replies 5

Hi,

You are using a wildcard mask to define a weird group of addresses.

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0

access-list 109 permit ip 10.0.0.0 0.15.56.127 any

The ASA won't support wildcards and only support subnet masks.

So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.

Just out of curiosity... what is the purpose of the above ACL in your router?

Federico.

Thanks for the response, even if I kind of knew the answer... I was wondering if someone came with a solution.

Those wierd wildcards are meant for special ranges of IP to access another range of ip.

Instead of repeting lines for nothing and since the environment (subnet) is defined like that in every other subnets, they implemented bizarre wildcards like that. In one line, I can include every other lines, see the following...

deny 10.1.8.0 - 127    10.4.8.0 255.255.255.0  (range of IP)

permit 10.1.8.0 - 127  10.4.8.0 255.255.248.0 (complete subnet)

deny 10.1.16.0 - 127    10.4.8.0 255.255.255.0

permit 10.1.16.0 - 127  10.4.8.0 255.255.248.0

deny 10.1.24.0 - 127    10.4.8.0 255.255.255.0

permit 10.1.24.0 - 127  10.4.8.0 255.255.248.0

...

...

...

deny 10.15.248.0 - 127    10.4.8.0 255.255.255.0

permit 10.15.248.0 - 127  10.4.8.0 255.255.248.0

Best regards,

Dave

There's no way to use wildcard masks in ASAs.

I guess one option would be to create object-groups.

You can group networks in one object (and have several objects), and then reference the permit/deny statements between objects.

This will simplify the configuration.

Federico.

Hello again,

Yep, I know... but it's going to be a pain to implement...

Best regards,

Dave

I guess it's not as nice as just converting the commands to the ASA... but the nice part is that once you created the object-groups you can manage the subnets just as you did with the routers.

I mean... just reference to the entire object-group (instead than to the wildcard statements in the ACL).

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: