Access Lists - PIX501 & 506

Unanswered Question
Sep 23rd, 2009

I currently have the following access list in my Cisco PIX 501 & 506s:

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.

I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).

FYI:

I need access-list for following networks

192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)

10.10.0.0 (whole network)

10.107.0.0 (whole network)

10.108.0.0 (whole network)

10.109.0.0 (whole network)

10.110.0.0 (which this one is working fine)

10.111.0.0 (whole network)

10.112.0.0 (whole network)

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 09/23/2009 - 12:23

"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."

What is "the site"? 192.168.53.0?

Shouldn't have a problem doing this...

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

and on the other end...

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

naveen_b81 Thu, 09/24/2009 - 01:24

192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.

sadam.kherisat Thu, 09/24/2009 - 02:00

dear

try to use the object-group command, like the follwoing

ciscoasa(config)# object-group network MYNETWORK

ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK

Regards,

Actions

This Discussion