ASA ACL and SUBNET MASKING

Unanswered Question
Apr 23rd, 2007
User Badges:

Retiring subnet 172.16.24.x 255.255.252.0 in phases, moving devices to 172.17.24.0 255.255.252.0. Current phase - move Messaging server devices. Senior stating that currently proposed command set for move does not make sense in terms of subnet masks for given ACL's. I am not understanding given existing config appears to utilize same subnet mask. I submitted below change outline based upon existing config that is in attachment. Any thoughts?


section (names)


name 172.17.24.126 chints1

name 172.17.24.127 chints2

name 172.17.24.134 chiapp1



section (access-list acl-dmz1)


command set to be used

access-list acl-dmz1 linenumber extended deny tcp host nantsgw4 172.17.0.0 255.240.0.0 eq www

access-list acl-dmz1 linenumber extended permit tcp host nantsgw4 172.17.0.0 255.240.0.0 eq lotusnotes

access-list acl-dmz1 linenumber extended deny tcp host chibry1 172.17.0.0 255.240.0.0 eq 3101

access-list acl-dmz1 linenumber extended deny tcp host chibry2 172.17.0.0 255.240.0.0 eq 3101



section (access-list acl-dmz4)


command set to be used

access-list acl-dmz4 extended permit tcp 172.16.0.0 255.240.0.0 172.17.0.0 255.240.0.0 object-group Permit-Inbound-Remote-Internal-TCP

access-list acl-dmz4 extended permit udp 172.16.0.0 255.240.0.0 172.17.0.0 255.240.0.0 object-group Permit-Inbound-Remote-Internal-UDP




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Fri, 04/27/2007 - 10:34
User Badges:

I think the you have to change the subnet mask from 255.240.0.0 to 255.255.0.0. This is the default subnetmask for class B ip address.

Actions

This Discussion