Solved: Re: Extended ACL taking in wrong IP address

godofrockandroll · ‎11-18-2022

Hello Cisco, I'm trying to create a named extended ACL and but I'm struggling to actually get the function working, I'm trying to input IP addresses into the list but for reasons unknown it only takes in a single IP address and inputs said ip address incorrectly.

The command I'm running is:

permit ip 193.168.45.12 0.0.0.255 193.168.46.144 0.0.0.63

But what's outputting when I check show access-list:

10 permit ip 193.168.45.0 0.0.0.255 193.168.46.128 0.0.0.63

Is there some reason for this? Am I inputting the command wrong? If I add different IPs it does the same thing and scrambles it around as well:

Command:

Router(config-ext-nacl)#permit ip 193.168.45.12 0.0.0.255 193.168.46.182 0.0.0.6

output:

20 permit ip 193.168.45.0 0.0.0.255 193.168.46.128 0.0.0.63

Assistance would be greatly appreciated.

Martin L · ‎11-18-2022

this is normal ACL behavior. Structure is network ID (IPs) and wild-card mask. ACL uses Wild-card mask , also called an inverse mask to indicate network, range of IPs, or exact IP. Wildcard of 0 means exact match whereas wildcard of 255 means any or I don't care. Example from link below 255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask). The goal of wildcard is to tell what to select in network part of ACL structure. To get Wildcard from mask, you must simply subtrack mask value from 255. mask 224 comes with Range of 32 IPs and wildcard is 31; Range of 4 IPs is mask 252, wildcard is 3. etc

You entered 193.168.45.12 0.0.0.255 meaning I don't care what IP is in last octet, so you got network class C with mask /24 and range of 193.168.45.1 -193.168.45.255. Any IP that falls into that range is used by ACL (permit or deny)

if you want exact IP of 193.168.45.12, you must use 0.0.0.0, aka 193.168.45.12 0.0.0.0

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#anc13

Also, find videos with explanations of ACL and inverse mask or wild card on youtube

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Martin L · ‎11-18-2022

this is normal ACL behavior. Structure is network ID (IPs) and wild-card mask. ACL uses Wild-card mask , also called an inverse mask to indicate network, range of IPs, or exact IP. Wildcard of 0 means exact match whereas wildcard of 255 means any or I don't care. Example from link below 255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask). The goal of wildcard is to tell what to select in network part of ACL structure. To get Wildcard from mask, you must simply subtrack mask value from 255. mask 224 comes with Range of 32 IPs and wildcard is 31; Range of 4 IPs is mask 252, wildcard is 3. etc

You entered 193.168.45.12 0.0.0.255 meaning I don't care what IP is in last octet, so you got network class C with mask /24 and range of 193.168.45.1 -193.168.45.255. Any IP that falls into that range is used by ACL (permit or deny)

if you want exact IP of 193.168.45.12, you must use 0.0.0.0, aka 193.168.45.12 0.0.0.0

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#anc13

Also, find videos with explanations of ACL and inverse mask or wild card on youtube

Regards, ML
**Please Rate All Helpful Responses **

Richard Burts · ‎11-18-2022

I agree with @Martin L that the issue is difference between the address that you specify and the mask that you specify. If you use the mask 0.0.0.255 it indicates that the first 3 octets must match and anything in the fourth octet is acceptable. So in your acl 193.168.45 must match. You try to specify .12 in the fourth octet but IOS says this does not matter and substitutes .0. This is normal IOS behavior.

HTH

Rick

MHM Cisco World · ‎11-19-2022

normal, I use subnet online calculator and it give me same as router show in output