05-10-2007 06:25 PM - edited 03-11-2019 03:12 AM
Dear all,
I have this IOS ACL:
permit tcp any 172.16.32.64 0.3.255.31 eq www
that needs to be converted to an ASA ACL. How should I configure my firewall with minimum numbers of lines within the ACL and/or object group?
I don't really want to define 700+ lines inside one network object group and this is just one of the IOS ACL that I need to convert.
Thanks in advance
Solved! Go to Solution.
05-14-2007 08:22 AM
Nevermind.
05-12-2007 01:40 PM
permit tcp any 172.16.32.64 0.3.255.31 eq www = 1 line, not 700.
*shrugs*
05-13-2007 02:24 PM
well, if it really works like this I would be really happy.
However ASA does not seem to like wildcard mask and I really have a hard time migrating IOS ACL to PIX/ASA ACLs.
Cheers
Toby
02-24-2015 02:57 AM
Hi Neospitz
Did you able to get the answer, I am also stuck into the similar situation where we have hundreds of router ACL with wildcard masks and I need to convert them to ASA subnet mask.
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22
I receive following error.
ERROR: IP address,mask <172.25.192.0,0.0.224.255> doesn't pair
02-24-2015 05:06 AM
A good text editor (I use Ultra Edit) and regular expressions and this can be converted in a snap.
02-24-2015 05:20 AM
Thanks Collin for you reply. I am wondering how to make the wild card mask to netmask using text editor. I understand the theory would be to subtract from 255.255.255.255 but question is how can i do it from a text editor. Lets say I have follwing 5 lines which need to convert to ASA format.
permit ip 172.24.16.0 0.7.225.255 any
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq www
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 443
permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 5900
02-24-2015 06:50 AM
Search and replace should work too.
Find 0.7.255.255 and replace with 255.248.0.0
03-09-2015 03:01 PM
Wow, I cannot believe this thread is still alive.
@syedumairali, no unfortunately I do not belive ASA support non-continuous subnets defined by IOS wildcard masks.
I ended up using spreadsheet to build a list of network that confirms to the IOS wildcard mask, and then format them into ASA commands.
Thanks everyone for the contribution to this thread.
05-14-2007 07:53 AM
That's a mighty strange network mask.
In IOS the netmasks are inverted and going by what you posted the mask would translate to 255.252.0.224.
I don't see how a router would even accept that network mask.
05-14-2007 08:22 AM
Nevermind.
05-14-2007 11:10 AM
neospitz,
double check your IOS mask and repost.
05-14-2007 02:41 PM
Hi Srue
Actually the ACL should read as follow:
permit tcp any 172.16.0.64 0.3.255.31 eq www
It does not really matter if the IP address of 3rd octet is 32 or 0 as the corresponding wildcard mask is 255 which means it matches from 0 to 255.
The ACL is correct as this line was allowing access to web service within each Class C network address 64 - 95 by the IOS router.
I've also tried the subnet mask 255.252.0.224 but ASDM reject this mask value. I was able to keyed it in under CLI but firewall has trouble matching packets with this line.
05-15-2007 08:14 AM
The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.
The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.
This would make the PIX/ASA access-list entry following:
access-list
05-15-2007 01:21 PM
Hi Laurent,
My situation is that I am migrating router ACL to ASA/PIX ACL, where wildcard mask 0.3.255.31 is completely valid under router ACL command syntex. Any IOS after 11.0 should be able to read this wildcard mask.
I know I need to use "Subnet Mask" in PIX/ASA and this is where my question comes from. With ASA, if I use your ACL command:
access-list
I need to set up as:
permit tcp any 172.16.0.64 255.255.255.224 eq 80
permit tcp any 172.16.1.64 255.255.255.224 eq 80
permit tcp any 172.16.2.64 255.255.255.224 eq 80
all the way to:
permit tcp any 172.19.255.64 255.255.255.224 eq 80
Whereas currently using router, one line kills them all:
permit tcp any 172.16.0.64 0.3.255.31 eq 80
I was thinking rather than specifying all 1024 network, or create them under object group, is there any simpler way to migrate this router ACL to ASA? I would think PIX/ASA are designed for traffic filtering and there must be a way to match router wildcard mask.
Cheers
05-21-2013 02:50 AM
laurent.geyer wrote:
The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.
The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.
This would make the PIX/ASA access-list entry following:
access-list
permit tcp any 172.16.0.64 255.255.255.224 eq 80
It IS an invalid netmask, but it is valid as a wildcard mask. Wildcard masks does not have to be
contiguous. For example, 172.16.32.64 0.3.255.31 will match 172.[16-19].[0-255].[64-95] with 1 single line.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: