12-30-2011 01:25 AM - edited 03-04-2019 02:46 PM
Hello iam moving from a pix 515e to a 2951 router with fireawall featureset.
Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to
be typed in bur when i look at the ACL afterwards they are not what i typed in.
For instance i can typ in
access-list 115 permit udp any 192.x.85.168 255.255.255.248 eq domain log
But when i look at the rule i se that it states the following.
access-list 115 permit tcp any 0.0.0.0 255.255.255.248 eq www log
access-list 115 permit tcp any 0.0.0.0 255.255.255.248 eq domain log
access-list 115 permit udp any 0.0.0.0 255.255.255.248 eq domain log
The ACL is on the "external" interface of the router but the actual subnet lies on another interface (DMZ)
The external interface has NAT outside on it since there is private subnets on other interfaces.
Although the DMZ network is on public IPs so no mention of nat on that interface.
Could anyone please advice on what im doing wrong? Iam poundering if it has anythng to do with NAT or that it has anything to do with the subent configuration in the ACL.
Message was edited by: Gustav Uhlander
12-30-2011 02:51 AM
You should use wildcard mask while configuring ACL on routers/switches.
Statement of yours-
access-list 115 permit tcp any 192.x.85.168 255.255.255.248 eq www log
Should be
access-list 115 permit tcp any 192.168.85.168 0.0.0.7 eq www log
Thanks
Ajay
12-30-2011 02:51 AM
Hello,
Router ACLs use wildcard mask instead of subnet mask.Try by replacing 255.255.255.248 with 0.0.0.7on router.
hth
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide