Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
5
Helpful
4
Replies

Firewall rule help

mic.adrian
Level 1
Level 1

‎02-25-2008 08:43 AM - edited ‎03-11-2019 05:08 AM

Hi,

I'm pretty new on using Cisco routers, the guy that was in charge of this left and I'm supposed to take care of our Cisco 2811.

I'm trying to add a rule that allows unrestricted access from the whole subnet 192.168.0.0 /255.255.0.0 to certain range of IPs for example: 65.110.162.168 /29 (255.255.255.248)

I'm using Cisco SDM for this.

I'm able to add the rule and apply changes, but after I do an " Write to startup config" the rules changes automatically to a different IP, like this 1.0.0.0 or 5.0.0.0 and the subnet remains unchanged.

The rule looks like this:

Source: A Network = 192.168.0.0

Wildcard mask = 0.0.255.255

Destination: A Network = 65.110.162.168

Wildcard mask = 248.255.255.255

Protocol and Service: TCP

I have no idea what is happening and I would appreciate your help on this.

Thanks in advance.

Adrian

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2008 10:00 AM

Adrian

Are you entering the wildcard mask of 248.255.255.255 ? or is that what the SDM is entering for you.

If it is you that is an incorrect wildcard mask. It needs to be

0.0.0.7

HTH

Jon

0 Helpful

mic.adrian
Level 1
Level 1
In response to Jon Marshall

‎02-25-2008 10:51 AM

I'm entering the wildcard mask. Why it should be 0.0.0.7? I'll have to create multiple rules that have different kinds of masks....so I need to understand why is like that.....

Thank you for your answer....

Adrian

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mic.adrian

‎02-25-2008 11:01 AM

Adrian

Routers use inverse masks in access-lists so

192.168.0.0 subnet mask = 255.255.0.0

Subnet mask means the first 2 octets must match ie. 192.168.

The 3rd and 4th octet can be anything.

65.110.162.168 subnet mask 255.255.255.248

1st, 2nd, 3rd octect must match and only the last 3 bits in the last octet will change ie.

128 64 32 16 8 4 2 1

1 1 1 1 1 0 0 0 = 248

Last 3 bits ie. 4 + 2 + 1 = 7

Now an inverse mask is just the opposite of a subnet mask so

192.168.0.0 255.255.0.0 =

192.168.0.0 0.0.255.255

That one is easy because you just change 0 to 255 and 255 to 0

65.110.162.168 255.255.255.248 =

65.110.162.168 0.0.0.7 (7 because of the explanation above).

Now if that has totally confused you here is a quick way to do it

Whenever you see 255 change it to 0 and vice-versa.

Then

256 = 248 = 8 - 1 = 7

so 255.255.255.248 = 0.0.0.7

In the same way a subnet mask of 255.255.255.192 =

256 - 192 - 1 = 63 so inverse mask =

0.0.0.63

HTH

Jon

mic.adrian
Level 1
Level 1
In response to Jon Marshall

‎02-25-2008 11:07 AM

Thanks a lot.....that makes sense for me.

Adrian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card