cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1371
Views
0
Helpful
6
Replies

PIX Access-list question

davelockerby
Level 1
Level 1

The following access-list works on a cisco router, however, the list will not work on the PIX (I change the wildcard mask to a subnet mask for the PIX).

Router (works)

access-list test permit tcp 192.168.1.50 0.0.0.5 host 10.10.10.1 eq 80

PIX (does not work)

access-list test permit tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

I receive the following error message on the PIX:

ERROR: Source address,mask <192.168.1.50, 0.0.0.10> doesn't pair

Is there a way to group IP addresses together on the PIX in a similar fashion as Cisco IOS?

Thanks You!

Domo Arigato!

1 Accepted Solution

Accepted Solutions

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

View solution in original post

6 Replies 6

apriore685
Level 1
Level 1

The command is:

access-list test permit tcp 192.168.1.50 (subnet mask) host 10.10.10.1 eq 80

Goal is to create single access-list statement that covers several hosts.

Example:

Permit hosts 192.168.1.50 - 192.168.1.54 to access web server on host 10.10.10.1.

Can a single access-list statment be created that permits all five of the above hosts port 80 access to the web server on host 10.10.10.1

Trying to avoid entering an access-list statement for each host needing access to web server.

Thanks.

What pix os version are you running? Recent versions support an object group concept, where you can group associated things to do exactly what you seek.

Matt

Version 6.2(2)

Thanks for the input on object groups. I'll do more research and see if object groups offer a viable solution.

Thanks-

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

2gcatron
Level 1
Level 1

The PIX uses subnet masks, not wildcard masks, that's why you get the address, mask doesn't pair error...

Review Cisco Networking for a $25 gift card