Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
6
Replies

PIX Access-list question

Go to solution
davelockerby
Level 1
Level 1

‎04-09-2003 11:43 AM - edited ‎02-20-2020 10:40 PM

The following access-list works on a cisco router, however, the list will not work on the PIX (I change the wildcard mask to a subnet mask for the PIX).

Router (works)

access-list test permit tcp 192.168.1.50 0.0.0.5 host 10.10.10.1 eq 80

PIX (does not work)

access-list test permit tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

I receive the following error message on the PIX:

ERROR: Source address,mask <192.168.1.50, 0.0.0.10> doesn't pair

Is there a way to group IP addresses together on the PIX in a similar fashion as Cisco IOS?

Thanks You!

Domo Arigato!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andre.frost
Level 1
Level 1
In response to davelockerby

‎04-10-2003 06:46 AM

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

View solution in original post

0 Helpful
6 Replies 6

Go to solution
apriore685
Level 1
Level 1

‎04-09-2003 12:17 PM

The command is:

access-list test permit tcp 192.168.1.50 (subnet mask) host 10.10.10.1 eq 80

0 Helpful

Go to solution
davelockerby
Level 1
Level 1
In response to apriore685

‎04-10-2003 04:52 AM

Goal is to create single access-list statement that covers several hosts.

Example:

Permit hosts 192.168.1.50 - 192.168.1.54 to access web server on host 10.10.10.1.

Can a single access-list statment be created that permits all five of the above hosts port 80 access to the web server on host 10.10.10.1

Trying to avoid entering an access-list statement for each host needing access to web server.

Thanks.

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to davelockerby

‎04-10-2003 06:26 AM

What pix os version are you running? Recent versions support an object group concept, where you can group associated things to do exactly what you seek.

Matt

0 Helpful

Go to solution
davelockerby
Level 1
Level 1
In response to mostiguy

‎04-16-2003 04:04 AM

Version 6.2(2)

Thanks for the input on object groups. I'll do more research and see if object groups offer a viable solution.

Thanks-

0 Helpful

Go to solution
andre.frost
Level 1
Level 1
In response to davelockerby

‎04-10-2003 06:46 AM

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

0 Helpful

Go to solution
2gcatron
Level 1
Level 1

‎04-16-2003 04:22 AM

The PIX uses subnet masks, not wildcard masks, that's why you get the address, mask doesn't pair error...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card