Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access Lists - PIX501 & 506

I currently have the following access list in my Cisco PIX 501 & 506s:

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 10.110.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.255.0

I want to change the 2 entries associated with 192.168.0.0 so that I can have just one entries to allow access to 192.168.0.0, 192.168.1.0 - 192.168.132.0. That way I don't have to enter in 132 entries.

I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network).

FYI:

I need access-list for following networks

192.168.0.0 (whole network (192.168.0.0 - 192.168.132.0)

10.10.0.0 (whole network)

10.107.0.0 (whole network)

10.108.0.0 (whole network)

10.109.0.0 (whole network)

10.110.0.0 (which this one is working fine)

10.111.0.0 (whole network)

10.112.0.0 (whole network)

Thanks in advance.

3 REPLIES
Green

Re: Access Lists - PIX501 & 506

"I tried 192.168.0.0 255.255.0.0 but it didn't work (once I entered that I was unable to access the site with that access list (from the 192.168.1.0 network)."

What is "the site"? 192.168.53.0?

Shouldn't have a problem doing this...

access-list nonat permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 192.168.0.0 255.255.0.0

and on the other end...

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

access-list us_HQ permit ip 192.168.0.0 255.255.0.0 192.168.53.0 255.255.255.0

New Member

Re: Access Lists - PIX501 & 506

192.168.0.0 255.255.0.0 should work. IF it is not working, check your logs. It might not necessarily be getting blocked by the access-list, it might also not be working due to spoofing, routing, NAT or other issues.

New Member

Re: Access Lists - PIX501 & 506

dear

try to use the object-group command, like the follwoing

ciscoasa(config)# object-group network MYNETWORK

ciscoasa(config-network)#network-object 192.168.0.0 255.255.0.0

access-list us_HQ permit ip 192.168.53.0 255.255.255.0 MYNETWORK

Regards,

118
Views
0
Helpful
3
Replies
CreatePlease to create content