Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
3
Replies

Access Lists - PIX501 & 506

readymixed1
Level 1
Level 1

‎09-23-2009 12:07 PM - edited ‎03-11-2019 09:19 AM

I currently have the following access list in my Cisco PIX 501 & 506s:

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.

I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).

FYI:

I need access-list for following networks

192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)

10.10.0.0 (whole network)

10.107.0.0 (whole network)

10.108.0.0 (whole network)

10.109.0.0 (whole network)

10.110.0.0 (which this one is working fine)

10.111.0.0 (whole network)

10.112.0.0 (whole network)

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎09-23-2009 12:23 PM

"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."

What is "the site"? 192.168.53.0?

Shouldn't have a problem doing this...

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

and on the other end...

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

0 Helpful

naveen_b81
Level 1
Level 1

‎09-24-2009 01:24 AM

192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.

0 Helpful

sadam.kherisat
Level 1
Level 1

‎09-24-2009 02:00 AM

dear

try to use the object-group command, like the follwoing

ciscoasa(config)# object-group network MYNETWORK

ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card