IOS to ASA ACL conversion

Answered Question
May 10th, 2007
User Badges:

Dear all,


I have this IOS ACL:

permit tcp any 172.16.32.64 0.3.255.31 eq www


that needs to be converted to an ASA ACL. How should I configure my firewall with minimum numbers of lines within the ACL and/or object group?


I don't really want to define 700+ lines inside one network object group and this is just one of the IOS ACL that I need to convert.


Thanks in advance

Correct Answer by laurent.geyer about 10 years 1 month ago

Nevermind.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
neospitz Sun, 05/13/2007 - 14:24
User Badges:

well, if it really works like this I would be really happy.


However ASA does not seem to like wildcard mask and I really have a hard time migrating IOS ACL to PIX/ASA ACLs.


Cheers


Toby

syedumairali Tue, 02/24/2015 - 02:57
User Badges:

Hi Neospitz

 

Did you able to get the answer, I am also stuck into the similar situation where we have hundreds of router ACL with wildcard masks and I need to convert them to ASA subnet mask. 

permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22

I receive following error.

ERROR: IP address,mask <172.25.192.0,0.0.224.255> doesn't pair

Collin Clark Tue, 02/24/2015 - 05:06
User Badges:
  • Purple, 4500 points or more

A good text editor (I use Ultra Edit) and regular expressions and this can be converted in a snap.

syedumairali Tue, 02/24/2015 - 05:20
User Badges:

Thanks Collin for you reply. I am wondering how to make the wild card mask to netmask using text editor. I understand the theory would be to subtract from 255.255.255.255 but question is how can i do it from a text editor. Lets say I have follwing 5 lines which need to convert to ASA format.

 permit ip   172.24.16.0   0.7.225.255 any
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq www

 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 443
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 5900

 

Collin Clark Tue, 02/24/2015 - 06:50
User Badges:
  • Purple, 4500 points or more

Search and replace should work too.

Find 0.7.255.255 and replace with 255.248.0.0
 

neospitz Mon, 03/09/2015 - 15:01
User Badges:

Wow, I cannot believe this thread is still alive.

 

@syedumairali, no unfortunately I do not belive ASA support non-continuous subnets defined by IOS wildcard masks.

I ended up using spreadsheet to build a list of network that confirms to the IOS wildcard mask, and then format them into ASA commands.

Thanks everyone for the contribution to this thread.

laurent.geyer Mon, 05/14/2007 - 07:53
User Badges:

That's a mighty strange network mask.


In IOS the netmasks are inverted and going by what you posted the mask would translate to 255.252.0.224.


I don't see how a router would even accept that network mask.

srue Mon, 05/14/2007 - 11:10
User Badges:
  • Blue, 1500 points or more

neospitz,

double check your IOS mask and repost.

neospitz Mon, 05/14/2007 - 14:41
User Badges:

Hi Srue


Actually the ACL should read as follow:

permit tcp any 172.16.0.64 0.3.255.31 eq www


It does not really matter if the IP address of 3rd octet is 32 or 0 as the corresponding wildcard mask is 255 which means it matches from 0 to 255.


The ACL is correct as this line was allowing access to web service within each Class C network address 64 - 95 by the IOS router.


I've also tried the subnet mask 255.252.0.224 but ASDM reject this mask value. I was able to keyed it in under CLI but firewall has trouble matching packets with this line.

laurent.geyer Tue, 05/15/2007 - 08:14
User Badges:

The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.


The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.


This would make the PIX/ASA access-list entry following:


access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80


neospitz Tue, 05/15/2007 - 13:21
User Badges:

Hi Laurent,


My situation is that I am migrating router ACL to ASA/PIX ACL, where wildcard mask 0.3.255.31 is completely valid under router ACL command syntex. Any IOS after 11.0 should be able to read this wildcard mask.


I know I need to use "Subnet Mask" in PIX/ASA and this is where my question comes from. With ASA, if I use your ACL command:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80


I need to set up as:

permit tcp any 172.16.0.64 255.255.255.224 eq 80

permit tcp any 172.16.1.64 255.255.255.224 eq 80

permit tcp any 172.16.2.64 255.255.255.224 eq 80

all the way to:

permit tcp any 172.19.255.64 255.255.255.224 eq 80


Whereas currently using router, one line kills them all:

permit tcp any 172.16.0.64 0.3.255.31 eq 80


I was thinking rather than specifying all 1024 network, or create them under object group, is there any simpler way to migrate this router ACL to ASA? I would think PIX/ASA are designed for traffic filtering and there must be a way to match router wildcard mask.


Cheers



Kristian Alexan... Tue, 05/21/2013 - 02:50
User Badges:

laurent.geyer wrote:


The simple fact of the matter is that you have an invalid netmask.  What I am curious about is what version of IOS you're running that  parses that (imho) broken wildcard mask.


The  correct mask for specifying the addresses 172.16.0.64 through  172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or  172.16.0.64/27 in CIDR form.


This would make the PIX/ASA access-list entry following:


access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80


It IS an invalid netmask, but it is valid as a wildcard mask. Wildcard masks does not have to be

contiguous. For example, 172.16.32.64 0.3.255.31 will match 172.[16-19].[0-255].[64-95] with 1 single line.

Actions

This Discussion