03-26-2009 10:32 AM - edited 03-10-2019 04:24 PM
Hi, have requirements to setup a DACL on Cisco ACS that will prevent all type of traffic to a bunch of servers, located in different subnets. They all have common 4th octet address of .46
eg. 10.2.3.46, 10.45.2.46, 192.168.10.46... Hate to enter line by line for each and every server.
Would appreciate if someone suggest a correct combination of host ip and subnet mask that will prevent all type of access to servers in any subnet. Servers have common 4th octet of 46.
Thanks
03-26-2009 12:24 PM
what device are you downloading acls to?
03-26-2009 01:02 PM
ASA 5520
03-27-2009 03:28 PM
I'm not in my lab right now, but try creating your ACL with syntax like the following:
...permit/deny ip 0.0.0.46 0.0.0.255 any
...or however you wanted to. I don't remember if it's IOS or PIX/ASA , or both, that support this type of ACL, but it's worth a shot to see if it even accepts the ACE.
03-30-2009 09:45 AM
To enable wildcard usage within ASA i had to enter the following:
aaa-server RADIUS_SERVER protocol radius
acl-netmask-convert wildcard
Then, i had to check every DACL and make sure this change will not have "weird" issues with existing DACLs. After testing and a bit of reconfiguration all works OK.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide