Strange Access-list !!

Unanswered Question
Apr 11th, 2008

Hi all, i have 2 routers connected via serial link, RA and RB, RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now i am deploying a very SIMPLE site to site vpn with this access-list on both side,

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255, now i think that it should work but it didnt, i want to know why is that ??? when a traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can some1 clear my confusion ?

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mheusing Fri, 04/11/2008 - 03:33

Hi,

The ACL "access-list 111 permit ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255" will allow all hosts with 10.x.y.30 to any IPv4 address in 10.0.0.0/8. As such it is somewhat unusual, but correct.

To have maximum control one would rather use

access-list 111 permit ip host 10.1.1.30 host 10.2.1.30

access-list 111 permit ip host 10.2.1.30 host 10.1.1.30

This would only allow your two PCs to exchange traffic.

Regarding your problem: it will be helpful to post your IPSec configuration, as the problem might be somewhere else. Did you check, if the tunnel comes up?

Hope this helps! Please use the rating system.

Regards, Martin

Hi Martin

Well that just blows everyting I thought I knew (through CCNA studies) right out of the water.

I always thought that the wild card mask was the inverse of the subnet mask.

i.e.

subnet mask 255.255.255.0 -or- 11111111.11111111.11111111.00000000

Wildcard mask 0.0.0.244 -or- 00000000.00000000.00000000.11111111

Now it appears that you can create wildcard masks anyway you like adn there is no structure to adhere to.

Is there some book that I can read up on this use of wildcard masks.

Best Regards,

Michael

illusion_rox Fri, 04/11/2008 - 07:28

Dear Michael, there is a misconception that wildcard are strictly the inverse of subnet mask, you can check this by using simple filtering using simple access-list, now regarding as what i want to do is as follows

I am trying to deploy GET VPN in my environment, i have 100 branches country wide and each branch has a server which traffic needs to be encrypted, now this is common in every server IP, 10.x.x.30, eg. 10.1.2.30, 10.1.3.30, 10.102.78.30, now the access-list cannot be defined on the group members so i want to create an access-list on a key server that just permits the traffic sourced from my server ( 10.x.x.30 ) and destined to any 10.0.0.0 network ( 10.0.0.0 0.255.255.255 ), i hope you guys now get an idea what i am trying to achieve, but before that i tried testing this access-list with a simple site to site vpn but it didnt work, i didnt get it, this statement is correct 10.0.0.30 0.255.255.0 then why its not working ???

Any body ??

Richard Burts Fri, 04/11/2008 - 07:45

Michael

It is a common understanding but not really correct that wildcard masks are always the inverse of subnet masks. If you change always to usually then the statement is correct. The wildcard mask is usually the inverse of the subnet mask but it is not always.

A key difference is that subnet masks have a requirement that the binary 1s and 0s be contiguous. So a subnet mask of 255.0.0.255 is invalid. But its inverse 0.255.255.0 is quite valid.

In a lot of access lists we want to permit or deny particular subnets and so the wildcard mask that we use is the inverse of the subnet mask. But sometimes we want the access list to match on things that are not particular subnets (like match on any host equal to 30 in the class A network 10).

HTH

Rick

illusion_rox Fri, 04/11/2008 - 07:36

Dear Martin, my isakmp tunnel comes up, i have done this configuration a 100 of times, the only difference today was the access-list and even then also tunnel came up, that is show crypto isakmp sa showed me idle in the connected which mean that tunnel is up, ok i am posting my actual configuration plz check it at your end,

RA connected via serial 2/0 to RB serial 2/0

Crypto isakmp key cisco123 address 11.x.x.2

crypto isakmp policy 10

authentication pre-share

encryption des

group 2

hash md5

crypto ipsec transform-set aset esp-des esp-md5-hmac

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255

crypto map my 10 ipsec-isakmp

match address 111

set peer 11.x.x.2

set transform-set aset

interface se 2/0

ip address 11.x.x.1 255.0.0.0

crypto map my

now you know the other side configuration exact replica

can you kindly check it at your end

Thanks

Actions

This Discussion