Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2552
Views
0
Helpful
6
Replies

How to specify target host in Access-list on 1700 router

Go to solution
devehf
Level 1
Level 1

‎11-18-2004 06:46 PM - edited ‎03-05-2019 11:20 AM

I want to be able to specify the target host on an access list and when I try to enter the IP and sub-net mask I get wierd result. This is on a 1700 router. I type: access-list 100 permit tcp any XXX.XXX.XXX.XXX 255.255.255.248 eq smtp where XXX.XXX.XXX.XXX is a public IP of a virtual email server on my inside.

I get:

access-list 100 permit tcp any 0.0.0.2 255.255.255.248 eq smtp

Why does XXX.XXX.XXX.XXX get interpreted as 0.0.0.2?

Thanks,

Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
konigl
Level 7
Level 7
In response to tltee

‎11-19-2004 03:12 PM

Dave,

The address got converted to 0.0.0.2 because you used a subnet mask (255.255.255.248) where you should have used a wildcard mask (0.0.0.7).

Regardless of what the network portion of the address was, when the router sees "255" in any position in the wildcard mask, it interprets that as "it really doesn't matter what number is in this part of the IP address". So it corrects your notation and replaces that part of the IP address with the placeholder "0".

The fact that it put a ".2" at the end of the address indicates that the binary pattern of whatever XXX.XXX.XXX.XXX was ended in "010". The last octet was one of the numbers in this sequence: .2, .10, .18, ... (increments of 8), .114, or .122. The "248" in the last part of your wildcard mask told the router "it doesn't matter what number's here, as long as the last three binary bits match". The router just simplified the last .XXX you entered to the smallest number that had a matching binary pattern; in this case it was ".2".

Something to remember: Use subnet masks for static routes and interface addressing; and wildcard masks for ACLs.

The easiest way to calculate the wildcard mask you want, if you're used to seeing things in subnet mask format, is to subtract the subnet mask from 255.255.255.255. For example:

255.255.255.255

-255.255.255.248 (subnet mask)

------------------------------

0.0.0.7 (wildcard mask)

If you want to specify a single host address rather than a masked range of addresses, use the notation "host XXX.XXX.XXX.XXX". If you use the notation "XXX.XXX.XXX.XXX 0.0.0.0" where 0.0.0.0 is the wildcard mask, the router will convert it to "host XXX.XXX.XXX.XXX". (Go ahead, try it and see.)

Similarly, if you want to specify all host addresses, use "any" as you have already done; or you can try "0.0.0.0 255.255.255.255" and the router will convert it to "any" for you. (Try this one too.)

Check out the useful IP Subnet Calculator download at http://www.Boson.com -- it's free:

Wildcard Mask Checker & Decimal-to-IP Calculator

a neat little utility to check what your wildcard mask actually matches, and, converts from Decimal to IP address format.

http://www.boson.com/promo/utilities.htm

Hope this helps.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
bigbhai
Level 1
Level 1

‎11-18-2004 10:54 PM

Hi,

This is there with all the latest IOS and this is nothing but wild card masking and nothing to worry about it is vice versa of the ip address you will be mentioning.

Regards

Network Consultant.

0 Helpful

Go to solution
tltee
Level 1
Level 1

‎11-19-2004 12:55 AM

not sure about how the address got converted. But if you want to specify a 255.255.255.248 net mask, you need to key in 0.0.0.7 as ACL uses wild-card mask.

0.0.0.7 = 00000000.00000000.00000000.00000111

which tell the router to match all the address bit that has 0's and ignore those that have 1's.

Eg. 10.1.1.1 255.255.255.0 smtp will be like

access-list 100 permit tcp any 10.1.1.1 0.0.0.255 eq smtp

0 Helpful

Go to solution
konigl
Level 7
Level 7
In response to tltee

‎11-19-2004 03:12 PM

Dave,

The address got converted to 0.0.0.2 because you used a subnet mask (255.255.255.248) where you should have used a wildcard mask (0.0.0.7).

Regardless of what the network portion of the address was, when the router sees "255" in any position in the wildcard mask, it interprets that as "it really doesn't matter what number is in this part of the IP address". So it corrects your notation and replaces that part of the IP address with the placeholder "0".

The fact that it put a ".2" at the end of the address indicates that the binary pattern of whatever XXX.XXX.XXX.XXX was ended in "010". The last octet was one of the numbers in this sequence: .2, .10, .18, ... (increments of 8), .114, or .122. The "248" in the last part of your wildcard mask told the router "it doesn't matter what number's here, as long as the last three binary bits match". The router just simplified the last .XXX you entered to the smallest number that had a matching binary pattern; in this case it was ".2".

Something to remember: Use subnet masks for static routes and interface addressing; and wildcard masks for ACLs.

The easiest way to calculate the wildcard mask you want, if you're used to seeing things in subnet mask format, is to subtract the subnet mask from 255.255.255.255. For example:

255.255.255.255

-255.255.255.248 (subnet mask)

------------------------------

0.0.0.7 (wildcard mask)

If you want to specify a single host address rather than a masked range of addresses, use the notation "host XXX.XXX.XXX.XXX". If you use the notation "XXX.XXX.XXX.XXX 0.0.0.0" where 0.0.0.0 is the wildcard mask, the router will convert it to "host XXX.XXX.XXX.XXX". (Go ahead, try it and see.)

Similarly, if you want to specify all host addresses, use "any" as you have already done; or you can try "0.0.0.0 255.255.255.255" and the router will convert it to "any" for you. (Try this one too.)

Check out the useful IP Subnet Calculator download at http://www.Boson.com -- it's free:

Wildcard Mask Checker & Decimal-to-IP Calculator

a neat little utility to check what your wildcard mask actually matches, and, converts from Decimal to IP address format.

http://www.boson.com/promo/utilities.htm

Hope this helps.

0 Helpful

Go to solution
devehf
Level 1
Level 1
In response to konigl

‎11-20-2004 09:09 AM

OK I am going into the office to give it a go. Thanks much for your very lucid description of wild card masks, sense.

0 Helpful

Go to solution
devehf
Level 1
Level 1
In response to devehf

‎11-20-2004 11:17 AM

I got an unexpected result. The last octect got changed to the lowest decimal value in the range (244-231). The Boson calculator helped me see what was going on.

0 Helpful

Go to solution
devehf
Level 1
Level 1
In response to devehf

‎11-20-2004 11:55 AM

And now I see that if I just enter the specific IP and specificy the wildcard as 0.0.0.0 that the router changes it to host XXX.XXX.XXX.XXX.

Thanks much!

0 Helpful
Customers Also Viewed These Support Documents