Solved: IP ranges on FWSM

Jacob Berger · ‎09-22-2013

is it possible to create IP ranges as some sort of object on FWSM (4.0)?

i see option for network objects (hosts or subnets) and network object groups, but no choice to create ranges.

thanks

Jouni Forss · ‎09-23-2013

Hi,

I can't remember that there would be any option to specify a range of IP addresses on the FWSM or an ASA/PIX running 8.2 or below software level.

I guess the only way would be to small subnets to define the IP ranges and the IP addresses that dont fit the range would be added as single "host" addresses inside the "object-group network". This could potentially result in a very messy configuration in the "object-group" but I can't think of any other solution at the moment. Especially since FWSM can't even handle the software that would support the new "object network" configurations.

- Jouni

View solution in original post

Jouni Forss · ‎09-23-2013

Hi,

I can't remember that there would be any option to specify a range of IP addresses on the FWSM or an ASA/PIX running 8.2 or below software level.

I guess the only way would be to small subnets to define the IP ranges and the IP addresses that dont fit the range would be added as single "host" addresses inside the "object-group network". This could potentially result in a very messy configuration in the "object-group" but I can't think of any other solution at the moment. Especially since FWSM can't even handle the software that would support the new "object network" configurations.

- Jouni

Jacob Berger · ‎09-23-2013

mmmm not very helpfull that.

i wonder how people worked with that in the past

no wonder the FWSM is EOL

Jouni Forss · ‎09-23-2013

Though the same problem is with the ASA and PIX all the way to the 8.2 software level. In software level 8.3 and above you can define "object network " and "range" inside it. You can then group the "object network" inside an "object-group network" if you want to group multiple ranges in one object. The "object network" can only hold a single host/subnet/range.

What is the exact situation where you want to use an IP range?

What are you trying to do for the hosts in the IP range?

Maybe there is some alternative way to go about it. But I admit that its a problem. There are some other "object-group" related problems or missing functionality that is making life hard for some firewall admins.

- Jouni

Jacob Berger · ‎09-23-2013

the FWSM is in use for the lan - blocking and allowing access fron one vlan to another.

maybe the design of the vlans wanst very good because i have printers and user PCs in the same vlans

i am trying to block users from accessesing other usewr vlans but allowing them access to printers ( the printers are set up as a range in the the user segment).

Jacob Berger · ‎09-24-2013

come to think of it , most of the printing is done on print server and the users PCs dont need direct access to printers ' so it might not be such a problem afterall