09-23-2009 12:07 PM - edited 03-11-2019 09:19 AM
I currently have the following access list in my Cisco PIX 501 & 506s:
access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0
I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.
I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).
FYI:
I need access-list for following networks
192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)
10.10.0.0 (whole network)
10.107.0.0 (whole network)
10.108.0.0 (whole network)
10.109.0.0 (whole network)
10.110.0.0 (which this one is working fine)
10.111.0.0 (whole network)
10.112.0.0 (whole network)
Thanks in advance.
09-23-2009 12:23 PM
"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."
What is "the site"? 192.168.53.0?
Shouldn't have a problem doing this...
access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0
and on the other end...
access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0
access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0
09-24-2009 01:24 AM
192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.
09-24-2009 02:00 AM
dear
try to use the object-group command, like the follwoing
ciscoasa(config)# object-group network MYNETWORK
ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0
access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide