I have a similar problem.

b8mnr5401 · ‎12-29-2015

We have an environment using class B networks where the third octet is used as a device type identifier.

For example, a 60 in the third octet identifies a printer and a 92 is a desktop to be denied internet.

We want to prevent printers from accessing the internet.

In this environment, we use a 5520 ASA running 8.0(4) as our firewall.

I configured ACL and ran packet tracer and see that my network object definition appears to perform as desired, as shown in the s"show access-list" output below:

access-list BlockWeb6 line 3 extended deny ip 0.0.60.0 0.0.255.0 any (hitcnt=11) 0xb6b2fbd0

access-list BlockWeb6 line 3 extended deny ip 0.0.92.0 0.0.255.0 any (hitcnt=33) 0x0737b411

Will my "network-object 0.0.60.0 0.0.255.0" and "network-object 0.0.92.0 0.0.255.0" only match traffic where the third octet is a 60 or a 92 as I intend it to?

I have added this assuming that the network address and mask specified and are simply used in a boolean operation to determine a true/false result.

Does anyone have a definitive answer?

Seok-hwan Kim · ‎05-16-2016

I have a similar problem.

- CT5508 and AP1142 flexconnect mode

- SSID Data locally swtiching with FlexConnect Access Control Lists

uw_14f_ap1142#sh access-lists
Extended IP access list Test_0429
10 permit udp any range 0 65535 any eq bootps (1 match)
20 permit ip any host 0.0.60.0 (1 match) - If there is not this alc rule "0.0.60.0", Clients do not receive the assigned IP.

If you have same problem or konw anyting information. please tell me detail.

Does a network-object need to be a valid network or is it just used as a boolean object?