Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
0
Helpful
5
Replies

Allowing Network host .253 from each /24 subnet.

Go to solution
Bouki
Level 1
Level 1

‎02-10-2018 07:38 AM - edited ‎03-05-2019 09:54 AM

Hi Guys,

 

 

I have /16 network  subneted to /24 for each store, I need to allow access from the network host .253  from each /24 subnet to a specific services on the DMZ (resides on Palo Alto) and I need one ACE entry in the access-list permit the .253 form each /24 subnet.

 

Mother subnet: 10.184.0.0/16

 

Store 1: 10.184.0.0/24

Store 2: 10.184.1.0/24

.

.

.

 

 

Your help is much appreciated.

 

Many thanks.

 

Said

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎02-10-2018 08:34 AM

Think this would work:

!
ip access list 1 permit 10.184.0.253 0.0.255.0
!

 

It is a simple source based ACL, but the mask gives you the idea.

 

Hope this helps

Regards

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎02-10-2018 08:37 AM

As you are asking on a Cisco-forum, I expect that you don't want to control that traffic on the PA-firewall, but on a device in front of that? What kind of device is that?

If it is an IOS router:

permit ip 10.184.0.253 0.0.255.0 DESTINATION

If it is on an ASA:

permit ip 10.184.0.253 255.255.0.255 DESTINATION

View solution in original post

0 Helpful
5 Replies 5

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎02-10-2018 08:34 AM

Think this would work:

!
ip access list 1 permit 10.184.0.253 0.0.255.0
!

 

It is a simple source based ACL, but the mask gives you the idea.

 

Hope this helps

Regards

0 Helpful

Go to solution
Bouki
Level 1
Level 1
In response to chrihussey

‎02-10-2018 11:16 AM

Brilliant stuff, Many thanks, tested and it is working.

 

Can I ask you to explain how does it work please? how did you come up with the access-list?

0 Helpful

Go to solution
chrihussey
VIP Alumni
VIP Alumni
In response to Bouki

‎02-10-2018 01:34 PM

In binary terms, when you create a mask, the ones are a must match, the zeros mean it doesn't matter. So for example:

If the 192.168.1.X network has a mask of 255.255.255.0 and 255 in binary is 11111111, so the mask in binary is 11111111 11111111 11111111 0000000. Meaning 192.168.1 is a must match, but the host (4th octet) can be anything from 1 - 255.

In the Cisco world access lists use reverse masks. So the reverse mask in an access list to designate the entire 192.168.1.1-255 subnet would be 0.0.0.255, or 00000000 00000000 00000000 11111111.

In your case you wanted to have the 1st, 2nd and 4th octet remain the same with the 3rd octet be variable, so 10.184.0.253 0.0.255.0 is 00000000 00000000 11111111 00000000.

Hope that makes sense.

Below is a Cisco link that may prove helpful.

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

 

Regards

0 Helpful

Go to solution
Bouki
Level 1
Level 1
In response to chrihussey

‎02-11-2018 05:46 AM

Much appreciated and I really do mean it.

Bless you.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎02-10-2018 08:37 AM

As you are asking on a Cisco-forum, I expect that you don't want to control that traffic on the PA-firewall, but on a device in front of that? What kind of device is that?

If it is an IOS router:

permit ip 10.184.0.253 0.0.255.0 DESTINATION

If it is on an ASA:

permit ip 10.184.0.253 255.255.0.255 DESTINATION
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card