09-23-2009 12:07 PM - edited 03-11-2019 09:19 AM
I currently have the following access list in my Cisco PIX 501 & 506s:
access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0
I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.
I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).
FYI:
I need access-list for following networks
192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)
10.10.0.0 (whole network)
10.107.0.0 (whole network)
10.108.0.0 (whole network)
10.109.0.0 (whole network)
10.110.0.0 (which this one is working fine)
10.111.0.0 (whole network)
10.112.0.0 (whole network)
Thanks in advance.
09-23-2009 12:23 PM
"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."
What is "the site"? 192.168.53.0?
Shouldn't have a problem doing this...
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0
and on the other end...
access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0
access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0
09-24-2009 01:24 AM
192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.
09-24-2009 02:00 AM
dear
try to use the object-group command, like the follwoing
ciscoasa(config)# object-group network MYNETWORK
ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: