Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
6
Replies

Strange Access-list !!

illusion_rox
Level 1
Level 1

‎04-11-2008 03:01 AM - edited ‎03-05-2019 10:20 PM

Hi all, i have 2 routers connected via serial link, RA and RB, RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now i am deploying a very SIMPLE site to site vpn with this access-list on both side,

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255, now i think that it should work but it didnt, i want to know why is that ??? when a traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can some1 clear my confusion ?

thanks

Labels:
0 Helpful
6 Replies 6

keeleym
Level 5
Level 5

‎04-11-2008 03:16 AM

Hi There

Is the wild card mask you are using correct or is this a typing error.

Are you sure that 0.255.255.0 is a valid wildcard mask? I have never seen a wildcard mask like this.

Can I ask what you wish to achieve with the access list you are applying?

Best Regards,

Michael

0 Helpful

mheusing
Cisco Employee
Cisco Employee

‎04-11-2008 03:33 AM

Hi,

The ACL "access-list 111 permit ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255" will allow all hosts with 10.x.y.30 to any IPv4 address in 10.0.0.0/8. As such it is somewhat unusual, but correct.

To have maximum control one would rather use

access-list 111 permit ip host 10.1.1.30 host 10.2.1.30

access-list 111 permit ip host 10.2.1.30 host 10.1.1.30

This would only allow your two PCs to exchange traffic.

Regarding your problem: it will be helpful to post your IPSec configuration, as the problem might be somewhere else. Did you check, if the tunnel comes up?

Hope this helps! Please use the rating system.

Regards, Martin

0 Helpful

keeleym
Level 5
Level 5
In response to mheusing

‎04-11-2008 04:14 AM

Hi Martin

Well that just blows everyting I thought I knew (through CCNA studies) right out of the water.

I always thought that the wild card mask was the inverse of the subnet mask.

i.e.

subnet mask 255.255.255.0 -or- 11111111.11111111.11111111.00000000

Wildcard mask 0.0.0.244 -or- 00000000.00000000.00000000.11111111

Now it appears that you can create wildcard masks anyway you like adn there is no structure to adhere to.

Is there some book that I can read up on this use of wildcard masks.

Best Regards,

Michael

0 Helpful

illusion_rox
Level 1
Level 1
In response to keeleym

‎04-11-2008 07:28 AM

Dear Michael, there is a misconception that wildcard are strictly the inverse of subnet mask, you can check this by using simple filtering using simple access-list, now regarding as what i want to do is as follows

I am trying to deploy GET VPN in my environment, i have 100 branches country wide and each branch has a server which traffic needs to be encrypted, now this is common in every server IP, 10.x.x.30, eg. 10.1.2.30, 10.1.3.30, 10.102.78.30, now the access-list cannot be defined on the group members so i want to create an access-list on a key server that just permits the traffic sourced from my server ( 10.x.x.30 ) and destined to any 10.0.0.0 network ( 10.0.0.0 0.255.255.255 ), i hope you guys now get an idea what i am trying to achieve, but before that i tried testing this access-list with a simple site to site vpn but it didnt work, i didnt get it, this statement is correct 10.0.0.30 0.255.255.0 then why its not working ???

Any body ??

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to keeleym

‎04-11-2008 07:45 AM

Michael

It is a common understanding but not really correct that wildcard masks are always the inverse of subnet masks. If you change always to usually then the statement is correct. The wildcard mask is usually the inverse of the subnet mask but it is not always.

A key difference is that subnet masks have a requirement that the binary 1s and 0s be contiguous. So a subnet mask of 255.0.0.255 is invalid. But its inverse 0.255.255.0 is quite valid.

In a lot of access lists we want to permit or deny particular subnets and so the wildcard mask that we use is the inverse of the subnet mask. But sometimes we want the access list to match on things that are not particular subnets (like match on any host equal to 30 in the class A network 10).

HTH

Rick

HTH

Rick
0 Helpful

illusion_rox
Level 1
Level 1
In response to mheusing

‎04-11-2008 07:36 AM

Dear Martin, my isakmp tunnel comes up, i have done this configuration a 100 of times, the only difference today was the access-list and even then also tunnel came up, that is show crypto isakmp sa showed me idle in the connected which mean that tunnel is up, ok i am posting my actual configuration plz check it at your end,

RA connected via serial 2/0 to RB serial 2/0

Crypto isakmp key cisco123 address 11.x.x.2

crypto isakmp policy 10

authentication pre-share

encryption des

group 2

hash md5

crypto ipsec transform-set aset esp-des esp-md5-hmac

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255

crypto map my 10 ipsec-isakmp

match address 111

set peer 11.x.x.2

set transform-set aset

interface se 2/0

ip address 11.x.x.1 255.0.0.0

crypto map my

now you know the other side configuration exact replica

can you kindly check it at your end

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card