Discontiguous subnet mask - FWSM

Little Bunny · ‎10-08-2014

Hello

I would like to permit only a few IP addresses from various subnets through an fwsm, is there a way to summarize this in order to reduce the number of ACL rules? We have over 200 subnets all starting 10.10.<building>.0/24. I would like to only permit IPs 10.10.x.248 and above from each building. Do FWSMs allow discontiguous masks? For example, could I add a rule 10.10.0.248 / 255.255.0.248? I tried the config via ASDM and it took it but changed the format to 10.10.0.248/29 so I'm not sure whether it will allow any value in the third octet.

Thanks

Amy

Vibhor Amrodia · ‎10-08-2014

Hi,

It would not be possible.

You would have to create separate ACE for each Subnet range.

Thanks and Regards,

Vibhor Amrodia

Little Bunny · ‎10-09-2014

Hi Vibhor

Thanks for the feedback. I just looked at the config via the CLI and this is the entry for the ACL:

access-list FWGLUE_access_in extended permit ip host 197.42.33.49 10.10.0.248 255.255.0.248

It looks like it took the original configuration I entered, are you sure it won't work?

Thanks

Amy

Vibhor Amrodia · ‎10-09-2014

Hi Amy,

Thank you for your reply. I tested it and it seems to be working for me.

Can you try this ACL and let me know if you face any issues.

Thanks and Regards,

Vibhor Amrodia

Little Bunny · ‎10-09-2014

Thanks Vibhor, that sounds promising! I will test this out too asap :)