cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4458
Views
0
Helpful
14
Replies

IOS to ASA ACL conversion

neospitz
Level 1
Level 1

Dear all,

I have this IOS ACL:

permit tcp any 172.16.32.64 0.3.255.31 eq www

that needs to be converted to an ASA ACL. How should I configure my firewall with minimum numbers of lines within the ACL and/or object group?

I don't really want to define 700+ lines inside one network object group and this is just one of the IOS ACL that I need to convert.

Thanks in advance

1 Accepted Solution

Accepted Solutions

laurent.geyer
Level 1
Level 1
14 Replies 14

joshua.walton
Level 1
Level 1

permit tcp any 172.16.32.64 0.3.255.31 eq www = 1 line, not 700.

*shrugs*

well, if it really works like this I would be really happy.

However ASA does not seem to like wildcard mask and I really have a hard time migrating IOS ACL to PIX/ASA ACLs.

Cheers

Toby

Hi Neospitz

 

Did you able to get the answer, I am also stuck into the similar situation where we have hundreds of router ACL with wildcard masks and I need to convert them to ASA subnet mask. 

permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22

I receive following error.

ERROR: IP address,mask <172.25.192.0,0.0.224.255> doesn't pair

A good text editor (I use Ultra Edit) and regular expressions and this can be converted in a snap.

Thanks Collin for you reply. I am wondering how to make the wild card mask to netmask using text editor. I understand the theory would be to subtract from 255.255.255.255 but question is how can i do it from a text editor. Lets say I have follwing 5 lines which need to convert to ASA format.

 permit ip   172.24.16.0   0.7.225.255 any
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 22
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq www

 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 443
 permit tcp 172.25.192.0 0.0.224.255 172.19.31.2/32 eq 5900

 

Search and replace should work too.

Find 0.7.255.255 and replace with 255.248.0.0
 

Wow, I cannot believe this thread is still alive.

 

@syedumairali, no unfortunately I do not belive ASA support non-continuous subnets defined by IOS wildcard masks.

I ended up using spreadsheet to build a list of network that confirms to the IOS wildcard mask, and then format them into ASA commands.

Thanks everyone for the contribution to this thread.

laurent.geyer
Level 1
Level 1

That's a mighty strange network mask.

In IOS the netmasks are inverted and going by what you posted the mask would translate to 255.252.0.224.

I don't see how a router would even accept that network mask.

laurent.geyer
Level 1
Level 1

Nevermind.

neospitz,

double check your IOS mask and repost.

Hi Srue

Actually the ACL should read as follow:

permit tcp any 172.16.0.64 0.3.255.31 eq www

It does not really matter if the IP address of 3rd octet is 32 or 0 as the corresponding wildcard mask is 255 which means it matches from 0 to 255.

The ACL is correct as this line was allowing access to web service within each Class C network address 64 - 95 by the IOS router.

I've also tried the subnet mask 255.252.0.224 but ASDM reject this mask value. I was able to keyed it in under CLI but firewall has trouble matching packets with this line.

The simple fact of the matter is that you have an invalid netmask. What I am curious about is what version of IOS you're running that parses that (imho) broken wildcard mask.

The correct mask for specifying the addresses 172.16.0.64 through 172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or 172.16.0.64/27 in CIDR form.

This would make the PIX/ASA access-list entry following:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80

Hi Laurent,

My situation is that I am migrating router ACL to ASA/PIX ACL, where wildcard mask 0.3.255.31 is completely valid under router ACL command syntex. Any IOS after 11.0 should be able to read this wildcard mask.

I know I need to use "Subnet Mask" in PIX/ASA and this is where my question comes from. With ASA, if I use your ACL command:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80

I need to set up as:

permit tcp any 172.16.0.64 255.255.255.224 eq 80

permit tcp any 172.16.1.64 255.255.255.224 eq 80

permit tcp any 172.16.2.64 255.255.255.224 eq 80

all the way to:

permit tcp any 172.19.255.64 255.255.255.224 eq 80

Whereas currently using router, one line kills them all:

permit tcp any 172.16.0.64 0.3.255.31 eq 80

I was thinking rather than specifying all 1024 network, or create them under object group, is there any simpler way to migrate this router ACL to ASA? I would think PIX/ASA are designed for traffic filtering and there must be a way to match router wildcard mask.

Cheers

laurent.geyer wrote:

The simple fact of the matter is that you have an invalid netmask.  What I am curious about is what version of IOS you're running that  parses that (imho) broken wildcard mask.

The  correct mask for specifying the addresses 172.16.0.64 through  172.16.0.95 would be 255.255.255.224 (0.0.0.31 wildcard) or  172.16.0.64/27 in CIDR form.

This would make the PIX/ASA access-list entry following:

access-list permit tcp any 172.16.0.64 255.255.255.224 eq 80


It IS an invalid netmask, but it is valid as a wildcard mask. Wildcard masks does not have to be

contiguous. For example, 172.16.32.64 0.3.255.31 will match 172.[16-19].[0-255].[64-95] with 1 single line.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: