Access Lists - PIX501 & 506

Unanswered Question
Sep 23rd, 2009
User Badges:

I currently have the following access list in my Cisco PIX 501 & 506s:


access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0


I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.


I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).


FYI:

I need access-list for following networks

192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)

10.10.0.0 (whole network)

10.107.0.0 (whole network)

10.108.0.0 (whole network)

10.109.0.0 (whole network)

10.110.0.0 (which this one is working fine)

10.111.0.0 (whole network)

10.112.0.0 (whole network)


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 09/23/2009 - 12:23
User Badges:
  • Green, 3000 points or more

"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."


What is "the site"? 192.168.53.0?


Shouldn't have a problem doing this...


access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0


and on the other end...


access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0


naveen_b81 Thu, 09/24/2009 - 01:24
User Badges:

192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.

sadam.kherisat Thu, 09/24/2009 - 02:00
User Badges:

dear

try to use the object-group command, like the follwoing


ciscoasa(config)# object-group network MYNETWORK

ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0


access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK


Regards,


Actions

This Discussion