11-18-2022 05:25 PM - last edited on 11-21-2022 01:00 AM by Translator
Hello Cisco, I'm trying to create a named extended ACL and but I'm struggling to actually get the function working, I'm trying to input IP addresses into the list but for reasons unknown it only takes in a single IP address and inputs said ip address incorrectly.
The command I'm running is:
permit ip 193.168.45.12 0.0.0.255 193.168.46.144 0.0.0.63
But what's outputting when I check show access-list:
10 permit ip 193.168.45.0 0.0.0.255 193.168.46.128 0.0.0.63
Is there some reason for this? Am I inputting the command wrong? If I add different IPs it does the same thing and scrambles it around as well:
Command:
Router(config-ext-nacl)#permit ip 193.168.45.12 0.0.0.255 193.168.46.182 0.0.0.6
output:
20 permit ip 193.168.45.0 0.0.0.255 193.168.46.128 0.0.0.63
Assistance would be greatly appreciated.
Solved! Go to Solution.
11-18-2022 08:23 PM
this is normal ACL behavior. Structure is network ID (IPs) and wild-card mask. ACL uses Wild-card mask , also called an inverse mask to indicate network, range of IPs, or exact IP. Wildcard of 0 means exact match whereas wildcard of 255 means any or I don't care. Example from link below 255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask). The goal of wildcard is to tell what to select in network part of ACL structure. To get Wildcard from mask, you must simply subtrack mask value from 255. mask 224 comes with Range of 32 IPs and wildcard is 31; Range of 4 IPs is mask 252, wildcard is 3. etc
You entered 193.168.45.12 0.0.0.255 meaning I don't care what IP is in last octet, so you got network class C with mask /24 and range of 193.168.45.1 -193.168.45.255. Any IP that falls into that range is used by ACL (permit or deny)
if you want exact IP of 193.168.45.12, you must use 0.0.0.0, aka 193.168.45.12 0.0.0.0
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#anc13
Also, find videos with explanations of ACL and inverse mask or wild card on youtube
Regards, ML
**Please Rate All Helpful Responses **
11-18-2022 08:23 PM
this is normal ACL behavior. Structure is network ID (IPs) and wild-card mask. ACL uses Wild-card mask , also called an inverse mask to indicate network, range of IPs, or exact IP. Wildcard of 0 means exact match whereas wildcard of 255 means any or I don't care. Example from link below 255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask). The goal of wildcard is to tell what to select in network part of ACL structure. To get Wildcard from mask, you must simply subtrack mask value from 255. mask 224 comes with Range of 32 IPs and wildcard is 31; Range of 4 IPs is mask 252, wildcard is 3. etc
You entered 193.168.45.12 0.0.0.255 meaning I don't care what IP is in last octet, so you got network class C with mask /24 and range of 193.168.45.1 -193.168.45.255. Any IP that falls into that range is used by ACL (permit or deny)
if you want exact IP of 193.168.45.12, you must use 0.0.0.0, aka 193.168.45.12 0.0.0.0
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#anc13
Also, find videos with explanations of ACL and inverse mask or wild card on youtube
Regards, ML
**Please Rate All Helpful Responses **
11-18-2022 11:18 PM
I agree with @Martin L that the issue is difference between the address that you specify and the mask that you specify. If you use the mask 0.0.0.255 it indicates that the first 3 octets must match and anything in the fourth octet is acceptable. So in your acl 193.168.45 must match. You try to specify .12 in the fourth octet but IOS says this does not matter and substitutes .0. This is normal IOS behavior.
11-19-2022 02:30 AM
normal, I use subnet online calculator and it give me same as router show in output
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide