We have an environment using class B networks where the third octet is used as a device type identifier.
For example, a 60 in the third octet identifies a printer and a 92 is a desktop to be denied internet.
We want to prevent printers from accessing the internet.
In this environment, we use a 5520 ASA running 8.0(4) as our firewall.
I configured ACL and ran packet tracer and see that my network object definition appears to perform as desired, as shown in the s"show access-list" output below:
access-list BlockWeb6 line 3 extended deny ip 0.0.60.0 0.0.255.0 any (hitcnt=11) 0xb6b2fbd0
access-list BlockWeb6 line 3 extended deny ip 0.0.92.0 0.0.255.0 any (hitcnt=33) 0x0737b411
Will my "network-object 0.0.60.0 0.0.255.0" and "network-object 0.0.92.0 0.0.255.0" only match traffic where the third octet is a 60 or a 92 as I intend it to?
I have added this assuming that the network address and mask specified and are simply used in a boolean operation to determine a true/false result.
Does anyone have a definitive answer?